2018-01-10 - HANCITOR MALSPAM - FAKE UPS SHIPPING NOTIFICATION
ASSOCIATED FILES:
- Zip archive of the pcap: 2018-01-10-Hancitor-malspam-traffic-with-Zeus-Panda-Banker.pcap.zip 2.2 MB (2,150,282 bytes)
- Zip archive of the emails: 2018-01-10-Hancitor-malspam-examples.txt.zip 6.4 kB (6,434 bytes)
- Zip archive of the malware: 2018-01-10-Hancitor-maldoc-and-Zeus-Panda-Banker.zip 244 kB (243,881 bytes)
NOTES:
- Hancitor malspam is back from the holiday break!
- As usual, post-infection malware from Hancitor malspam includes the Zeus Panda banking Trojan.
- There's still Pony and Evil Pony (both file-less) also downloaded by Hancitor from the Word document macro.
- @James_inthe_box (link) and @MalwareBlueTeam (link) documented additional indicators that I've included in this blog post.
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domains and URLs:
- chillionairenation.com
- chillionista.com
- frankisaac.net
- frankisaacjewelers.com
- giveaway.systems
- grapeleafcafe.com
- janmariejackson.com
- karymurdaneta.com
- melissamontalvo.com
- mindmastersalliance.com
- roadmastergroup.mobi
- roadmastergroup.net
- thechillionaireretreat.com
- thechillionairezone.com
- toxinfreeclub.com
- underwoodnurseryllc.com
- hxxp://cantelco.net/wp-content/plugins/simple-map/11
- hxxp://cantelco.net/wp-content/plugins/simple-map/22
- hxxp://cantelco.net/wp-content/plugins/simple-map/3
- hxxp://dpadistribuidora.com.br/wp-content/plugins/favicon-xt-manager/11
- hxxp://dpadistribuidora.com.br/wp-content/plugins/favicon-xt-manager/22
- hxxp://dpadistribuidora.com.br/wp-content/plugins/favicon-xt-manager/3
- hxxp://expatrions-nous.com/wp-content/plugins/ultimate-wp-cache/11
- hxxp://expatrions-nous.com/wp-content/plugins/ultimate-wp-cache/22
- hxxp://expatrions-nous.com/wp-content/plugins/ultimate-wp-cache/3
- hxxp://ricecitysonghong.com/wp-content/plugins/google-sitemap-plugin/includes/11
- hxxp://ricecitysonghong.com/wp-content/plugins/google-sitemap-plugin/includes/22
- hxxp://ricecitysonghong.com/wp-content/plugins/google-sitemap-plugin/includes/3
- hxxp://tierspende.org/wp-content/themes/twentyfourteen/11
- hxxp://tierspende.org/wp-content/themes/twentyfourteen/22
- hxxp://tierspende.org/wp-content/themes/twentyfourteen/3
- henrenbilac.ru
- unhesrowrab.com
- disithedtse.com
EMAILS
Shown above: Screenshot from one of the emails.
EMAIL HEADERS:
- Date/Time: Wednesday 2018-01-10 as early as 15:53 through at least 17:36 UTC
- Subject: UPS Ship Notification,Reference Number 1: 173765
- Subject: UPS Ship Notification,Reference Number 1: 207828
- Subject: UPS Ship Notification,Reference Number 1: 435037
- Subject: UPS Ship Notification,Reference Number 1: 515863
- Subject: UPS Ship Notification,Reference Number 1: 627164
- Subject: UPS Ship Notification,Reference Number 1: 652012
- Subject: UPS Ship Notification,Reference Number 1: 782653
- Subject: UPS Ship Notification,Reference Number 1: 844017
- Subject: UPS Ship Notification,Reference Number 1: 872177
- Received: from uspa.com ([24.151.24.40])
- Received: from uspa.com ([50.207.113.250])
- Received: from uspa.com ([50.250.168.165])
- Received: from uspa.com ([50.253.70.82])
- Received: from uspa.com ([66.11.73.209])
- Received: from uspa.com ([72.68.134.154])
- Received: from uspa.com ([188.39.111.250])
- Received: from uspa.com ([213.120.121.78])
- From (spoofed): "UPS Quantum View" <pkginfo@uspa.com>
Shown above: Malicious Word document downloaded from a link in the malspam.
TRAFFIC
Shown above: Traffic from an infection filtered in Wireshark.
LINKS IN THE EMAILS TO THE WORD DOCUMENT:
- hxxp://chillionista.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://janmariejackson.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://karymurdaneta.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://melissamontalvo.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://roadmastergroup.net?[string of characters]=[encoded string representing recipient's email address]
- hxxp://thechillionairezone.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://toxinfreeclub.com?[string of characters]=[encoded string representing recipient's email address]
NETWORK TRAFFIC FROM MY INFECTED LAB HOST:
- 95.163.250.154 port 80 - melissamontalvo.com - GET /?[string of characters]=[encoded string representing recipient's email address]
- api.ipify.org - GET /
- 82.202.166.32 port 80 - unhesrowrab.com - POST /ls5/forum.php
- 82.202.166.32 port 80 - unhesrowrab.com - POST /mlu/forum.php
- 82.202.166.32 port 80 - unhesrowrab.com - POST /d2/about.php
- 149.71.234.76 port 80 - expatrions-nous.com - GET /wp-content/plugins/ultimate-wp-cache/11
- 149.71.234.76 port 80 - expatrions-nous.com - GET /wp-content/plugins/ultimate-wp-cache/22
- 149.71.234.76 port 80 - expatrions-nous.com - GET /wp-content/plugins/ultimate-wp-cache/3
- 62.109.21.136 port 443 - disithedtse.com - HTTPS/SSL/TLS traffic caused by Zeus Panda Banker
- www.google.com - HTTPS traffic, probably a connectivity check by infected Windows host
FILE HASHES
MALWARE RETRIEVED FROM THE INFECTED HOST:
- SHA256 hash: 85d2ba3f12877bf7e531ec1970909f2ea20f55ba17d27f4a5b65e8e8dc493909
File size: 240,640 bytes
File name: ups_[6 random digits].doc
File description: Word document with macro for Hancitor
- SHA256 hash: a63a22c351534a42d6b9c66988103589a12c5be6eaa209b8b301c524f756cf99
File size: 174,592 bytes
File location: C:\Users\[username]\AppData\Roaming\[existing directory path]\[random name].exe
File description: Zeus Panda Banker
IMAGES
Shown above: Zeus Panda Banker persistent on the infected Windows host.
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the pcap: 2018-01-10-Hancitor-malspam-traffic-with-Zeus-Panda-Banker.pcap.zip 2.2 MB (2,150,282 bytes)
- Zip archive of the emails: 2018-01-10-Hancitor-malspam-examples.txt.zip 6.4 kB (6,434 bytes)
- Zip archive of the malware: 2018-01-10-Hancitor-maldoc-and-Zeus-Panda-Banker.zip 244 kB (243,881 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.