2017-12-21 - HANCITOR MALSPAM - SUBJECT: RE: FW: DECEMBER BILLING INVOICE
ASSOCIATED FILES:
- Zip archive of the pcap: 2017-12-21-Hancitor-malspam-traffic.pcap.zip 491 kB (490,770 bytes)
- Zip archive of 33 emails: 2017-12-21-Hancitor-malspam-emails.zip 30.8 kB (30,763 bytes)
- Zip archive of the malware: 2017-12-21-Hancitor-malware.zip 223 kB (223,215 bytes)
NOTES:
- Today, post-infection malware from Hancitor malspam includes the Zeus Panda banking Trojan.
- Of course, there's still Pony and Evil Pony (both fileless) also downloaded by Hancitor from the Word document macro.
- As always, thanks to people like @fletchsec, @James_inthe_box, @Simpo13, and others who contributed to the Twitter discussion today.
- @James_inthe_box published additional indicators (link) that I've included in this report.
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domains and URLs:
- coffeedoesgood.com
- coffeeforles.us
- eciggystore.com
- ecigsforless.com
- eleanorlarsonart.com
- hybriscoach.com
- planetfriendlycoffee.com
- planetfriendlywater.com
- quickkups.com
- royalconnection.org
- royalconnectioncoffee.com
- tikihut.coffee
- tikihutcafe.com
- tikihutcoffee.biz
- tikihutcoffee.us
- utahrates.com
- andrejoter.com
- dokemyhed.ru
- vehopehers.ru
- hxxp://boobsandbabes.com/1
- hxxp://boobsandbabes.com/2
- hxxp://boobsandbabes.com/3
- hxxp://rutstudio.pl/1
- hxxp://rutstudio.pl/2
- hxxp://rutstudio.pl/3
- hxxp://wingchun-giessen.de/wp-content/uploads/2014/06/1
- hxxp://wingchun-giessen.de/wp-content/uploads/2014/06/2
- hxxp://wingchun-giessen.de/wp-content/uploads/2014/06/3
- hxxp://www.americanfreethought.com/wordpress/1
- hxxp://www.americanfreethought.com/wordpress/2
- hxxp://www.americanfreethought.com/wordpress/3
- hxxp://www.emilianobursese.com.ar/wp-content/plugins/bulletproof-security/1
- hxxp://www.emilianobursese.com.ar/wp-content/plugins/bulletproof-security/2
- hxxp://www.emilianobursese.com.ar/wp-content/plugins/bulletproof-security/3
- kedfortmoleft.ru
EMAILS
Shown above: Screenshot from one of the emails.
EMAIL HEADERS:
- Date/Time: Thursday 2017-12-21 as early as 15:28 through at least 20:07 UTC
- Subject: RE: FW: december billing invoice
- Received: from nortconsulting.net ([12.186.237.244])
- Received: from nortconsulting.net ([24.43.195.254])
- Received: from nortconsulting.net ([24.119.166.10])
- Received: from nortconsulting.net ([24.159.72.85])
- Received: from nortconsulting.net ([24.183.26.75])
- Received: from nortconsulting.net ([24.222.94.46])
- Received: from nortconsulting.net ([50.249.244.57])
- Received: from nortconsulting.net ([50.79.52.5])
- Received: from nortconsulting.net ([64.60.13.226])
- Received: from nortconsulting.net ([67.52.227.178])
- Received: from nortconsulting.net ([67.77.243.36])
- Received: from nortconsulting.net ([68.236.205.98])
- Received: from nortconsulting.net ([69.15.124.81])
- Received: from nortconsulting.net ([69.161.91.237])
- Received: from nortconsulting.net ([70.88.231.82])
- Received: from nortconsulting.net ([71.12.100.6])
- Received: from nortconsulting.net ([71.191.193.11])
- Received: from nortconsulting.net ([72.4.5.34])
- Received: from nortconsulting.net ([72.87.93.93])
- Received: from nortconsulting.net ([73.233.73.224])
- Received: from nortconsulting.net ([86.151.153.185])
- Received: from nortconsulting.net ([90.63.216.156])
- Received: from nortconsulting.net ([97.90.104.14])
- Received: from nortconsulting.net ([98.103.65.114])
- Received: from nortconsulting.net ([185.16.210.16])
- Received: from nortconsulting.net ([190.4.186.152])
- Received: from nortconsulting.net ([192.154.121.214])
- Received: from nortconsulting.net ([201.229.68.245])
- Received: from nortconsulting.net ([213.120.121.78])
- Received: from nortconsulting.net ([216.26.206.112])
- Received: from nortconsulting.net ([216.37.70.43])
- Received: from nortconsulting.net ([216.174.116.246])
- From (spoofed): "Alayna Croxton" <finance@nortconsulting.net>
- From (spoofed): "Alton Sangster" <finance@nortconsulting.net>
- From (spoofed): "Amos Coonrod" <finance@nortconsulting.net>
- From (spoofed): "Annalisa Benedict" <finance@nortconsulting.net>
- From (spoofed): "Antoinette Valentine" <finance@nortconsulting.net>
- From (spoofed): "Bernadine Daub" <finance@nortconsulting.net>
- From (spoofed): "Bronwyn Rambo" <finance@nortconsulting.net>
- From (spoofed): "Christiane Littles" <finance@nortconsulting.net>
- From (spoofed): "Clarinda Johnston" <finance@nortconsulting.net>
- From (spoofed): "Cornell Lowy" <finance@nortconsulting.net>
- From (spoofed): "Danilo Decaro" <finance@nortconsulting.net>
- From (spoofed): "Darryl Ryberg" <finance@nortconsulting.net>
- From (spoofed): "Gennie Haggard" <finance@nortconsulting.net>
- From (spoofed): "Heath Burroughs" <finance@nortconsulting.net>
- From (spoofed): "Junita Garcia" <finance@nortconsulting.net>
- From (spoofed): "Kirstie Mertz" <finance@nortconsulting.net>
- From (spoofed): "Kisha Escovedo" <finance@nortconsulting.net>
- From (spoofed): "Lesha Northington" <finance@nortconsulting.net>
- From (spoofed): "Letitia Foronda" <finance@nortconsulting.net>
- From (spoofed): "Margurite Schnee" <finance@nortconsulting.net>
- From (spoofed): "Monika Punch" <finance@nortconsulting.net>
- From (spoofed): "Soila Etienne" <finance@nortconsulting.net>
- From (spoofed): "Yahaira Hummer" <finance@nortconsulting.net>
- From (spoofed): "Yvette Mcclane" <finance@nortconsulting.net>
Shown above: Malicious Word document from link in the malspam.
TRAFFIC
Shown above: Traffic from an infection filtered in Wireshark.
LINKS IN THE EMAILS TO THE WORD DOCUMENT:
- hxxp://coffeeforles.us?[encoded string]=[encoded string representing recipient's email address]
- hxxp://eciggystore.com?[encoded string]=[encoded string representing recipient's email address]
- hxxp://ecigsforless.com?[encoded string]=[encoded string representing recipient's email address]
- hxxp://eleanorlarsonart.com?[encoded string]=[encoded string representing recipient's email address]
- hxxp://hybriscoach.com?[encoded string]=[encoded string representing recipient's email address]
- hxxp://planetfriendlycoffee.com?[encoded string]=[encoded string representing recipient's email address]
- hxxp://planetfriendlywater.com?[encoded string]=[encoded string representing recipient's email address]
- hxxp://quickkups.com?[encoded string]=[encoded string representing recipient's email address]
- hxxp://royalconnection.org?[encoded string]=[encoded string representing recipient's email address]
- hxxp://royalconnectioncoffee.com?[encoded string]=[encoded string representing recipient's email address]
- hxxp://tikihut.coffee?[encoded string]=[encoded string representing recipient's email address]
- hxxp://tikihutcafe.com?[encoded string]=[encoded string representing recipient's email address]
- hxxp://tikihutcoffee.biz?[encoded string]=[encoded string representing recipient's email address]
- hxxp://tikihutcoffee.us?[encoded string]=[encoded string representing recipient's email address]
- hxxp://utahrates.com?[encoded string]=[encoded string representing recipient's email address]
NETWORK TRAFFIC FROM MY INFECTED LAB HOST:
- 119.28.100.108 port 80 - utahrates.com - GET /?[string of characters]=[encoded string representing recipient's email address]
- api.ipify.org - GET /
- 193.33.133.88 port 80 - andrejoter.com - POST /ls5/forum.php
- 193.33.133.88 port 80 - andrejoter.com - POST /mlu/forum.php
- 193.33.133.88 port 80 - andrejoter.com - POST /d2/about.php
- 85.13.155.85 port 80 - wingchun-giessen.de - GET /wp-content/uploads/2014/06/1
- 85.13.155.85 port 80 - wingchun-giessen.de - GET /wp-content/uploads/2014/06/2
- 82.202.166.125 port 443 - kedfortmoleft.ru - HTTPS/SSL/TLS traffic caused by Zeus Panda Banker
- www.google.com - HTTPS traffic, probably a connectivity check by infected Windows host
FILE HASHES
MALWARE RETRIEVED FROM THE INFECTED HOST:
- SHA256 hash: 9906d7cbd7675f3334ef91e3a63792180e149b07a5899b1e2f9be5dcc6e8a086
File size: 184,320 bytes
File name: invoice_[6 random digits].doc
File description: Word document with macro for Hancitor
- SHA256 hash: 103176ef8223aa3f3cbf0bce91019a1688258eeea257d9aa617b31676e373c86
File size: 174,592 bytes
File location: C:\Users\[username]\AppData\Roaming\[existing directory path]\[random name].exe
File description: Zeus Panda Banker
IMAGES
Shown above: Zeus Panda Banker persistent on the infected Windows host.
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the pcap: 2017-12-21-Hancitor-malspam-traffic.pcap.zip 491 kB (490,770 bytes)
- Zip archive of 33 emails: 2017-12-21-Hancitor-malspam-emails.txt.zip 30.8 kB (30,763 bytes)
- Zip archive of the malware: 2017-12-21-Hancitor-malware.zip 223 kB (223,215 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.