2018-02-20 - HANCITOR MALSPAM - FAKE ADP PAYROLL INVOICE
ASSOCIATED FILES:
- Zip archive of the traffic: 2018-02-20-Hancitor-malspam-traffic.zip 2.2 MB (2,162,484 bytes)
- 2018-02-20-Hancitor-JS-file-download-and-infection-traffic.pcap (2,173,787 bytes)
- 2018-02-20-Hancitor-maldoc-download-only.pcap (376,904 bytes)
- Zip archive of the emails: 2018-02-20-Hancitor-malspam-30-email-examples.txt.zip 2.8 kB (2,775 bytes)
- 2018-02-20-Hancitor-malspam-30-email-examples.txt (30,105 bytes)
- Zip archive of the malware: 2018-02-20-Hancitor-infection-malware-and-artifacts.zip 433 kB (432,569 bytes)
- 2018-02-20-Hancitor-binary.exe (61,440 bytes)
- 2018-02-20-Hancitor-downloader-invoice_311706.js (35,396 bytes)
- 2018-02-20-Hancitor-maldoc-invoice_143264.doc (346,624 bytes)
- 2018-02-20-Zeus-Panda-Banker.exe (169,984 bytes)
NOTES:
- Links from the malspam with /adp.php in the URL returned JavaScript (.js) files.
- Links from the malspam without /adp.php in the URL returned a Word document.
- The .js files downloaded Hancitor as a binary.
- The Word documents had a malicious macro that contained the Hancitor malware.
- As usual, we saw 3 follow-up downloads for Pony, Evil Pony, and Zeus Panda Banker.
- As usual, Pony and Evil Pony were resident in the infected host's memory, while Zeus Panda Banker was stored to disk.
Shown above: Flowchart for today's Hancitor infection traffic.
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domains and URLs:
- beasecurityguard.com
- brelicensewithus.com
- foodhandlerlicense.com
- getabrelicense.com
- getyourbrelicense.com
- premierrealestateschools.info
- premierrealestateschools.org
- realestatelicense.la
- realestateschools.training
- realestatesschools.academy
- securityguardschooling.com
- rymoonthen.com
- hxxp://uttamah.com/wp-content/plugins/pretty-link/includes/1
- hxxp://uttamah.com/wp-content/plugins/pretty-link/includes/2
- hxxp://uttamah.com/wp-content/plugins/pretty-link/includes/3
- lyhemsasit.ru
EMAILS
Shown above: Screenshot from one of the emails with link to a .js file.
Shown above: Downloading a .js file from one of the emails.
Shown above: Screenshot from one of the emails with link to a Word document.
Shown above: Downloading a Word document from one of the emails.
EMAIL HEADERS:
- Date/Time: Tuesday 2018-02-20 as early as 15:47 through at least 20:12 UTC
- From (spoofed): "ADP, LLC" <un.payroll.invoice@apdm.com>
- Received: from ([75.144.249.209])
- Received: from ([76.237.148.143])
- Received: from apdm.com ([12.118.41.74])
- Received: from apdm.com ([24.18.144.193])
- Received: from apdm.com ([24.213.39.82])
- Received: from apdm.com ([47.190.13.102])
- Received: from apdm.com ([50.75.129.98])
- Received: from apdm.com ([50.77.19.245])
- Received: from apdm.com ([50.248.80.249])
- Received: from apdm.com ([64.31.248.50])
- Received: from apdm.com ([64.183.12.86])
- Received: from apdm.com ([65.153.153.118])
- Received: from apdm.com ([69.4.50.182])
- Received: from apdm.com ([70.91.150.67])
- Received: from apdm.com ([71.15.218.215])
- Received: from apdm.com ([72.76.45.178])
- Received: from apdm.com ([75.146.239.186])
- Received: from apdm.com ([117.240.183.117])
- Received: from apdm.com ([173.186.35.186])
- Received: from apdm.com ([173.209.154.162])
- Received: from apdm.com ([173.235.8.204])
- Received: from apdm.com ([185.99.139.214])
- Received: from apdm.com ([207.194.39.194])
- Received: from apdm.com ([208.67.102.180])
- Received: from apdm.com ([209.118.33.114])
- Received: from apdm.com ([216.7.131.82])
- Received: from apdm.com ([216.82.193.52])
- Received: from apdm.com ([216.218.189.211])
- Received: from apdm.com ([217.155.10.198])
- Received: from apdm.com ([218.197.8.26])
- Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 047165040
- Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 062383653
- Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 068118517
- Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 068385525
- Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 081870747
- Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 206611543
- Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 224331466
- Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 265360856
- Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 273258344
- Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 278020070
- Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 281036532
- Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 282152613
- Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 285474521
- Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 324623486
- Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 344321326
- Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 352164242
- Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 370563263
- Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 381310557
- Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 414713572
- Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 451315017
- Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 526237504
- Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 546271588
- Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 567075811
- Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 582484510
- Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 660404721
- Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 665524514
- Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 745258322
- Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 822521504
- Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 834775063
- Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 841467436
- Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 861551581
TRAFFIC
Shown above: Traffic from an .js-based Hancitor infection filtered in Wireshark.
LINKS IN THE EMAILS TO THE WORD DOCUMENT:
- hxxp://beasecurityguard.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://brelicensewithus.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://brelicensewithus.com/adp.php?[string of characters]=[encoded string representing recipient's email address]
- hxxp://foodhandlerlicense.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://getabrelicense.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://getabrelicense.com/adp.php?[string of characters]=[encoded string representing recipient's email address]
- hxxp://getyourbrelicense.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://premierrealestateschools.info?[string of characters]=[encoded string representing recipient's email address]
- hxxp://premierrealestateschools.org?[string of characters]=[encoded string representing recipient's email address]
- hxxp://realestatelicense.la?[string of characters]=[encoded string representing recipient's email address]
- hxxp://realestateschools.training?[string of characters]=[encoded string representing recipient's email address]
- hxxp://realestatesschools.academy?[string of characters]=[encoded string representing recipient's email address]
- hxxp://realestatesschools.academy/adp.php?[string of characters]=[encoded string representing recipient's email address]
- hxxp://securityguardschooling.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://securityguardschooling.com/adp.php?[string of characters]=[encoded string representing recipient's email address]
NETWORK TRAFFIC FROM MY INFECTED LAB HOST (.JS-BASED INFECTION):
- 92.53.78.188 port 80 - securityguardschooling.com - GET /adp.php?[string of characters]=[encoded string representing recipient's email address]
- 92.53.78.188 port 80 - getyourbrelicense.com - GET /1.exe
- api.ipify.org - GET /
- 37.230.228.150 port 80 - rymoonthen.com - POST /ls5/forum.php
- 37.230.228.150 port 80 - rymoonthen.com - POST /mlu/forum.php
- 37.230.228.150 port 80 - rymoonthen.com - POST /d2/about.php
- 192.254.232.169 port 80 - uttamah.com - GET /wp-content/plugins/pretty-link/includes/1
- 192.254.232.169 port 80 - uttamah.com - GET /wp-content/plugins/pretty-link/includes/2
- 192.254.232.169 port 80 - uttamah.com - GET /wp-content/plugins/pretty-link/includes/3
- 185.48.239.33 port 443 - lyhemsasit.ru - HTTPS/SSL/TLS traffic caused by Zeus Panda Banker
- www.google.com - HTTPS traffic, probably a connectivity check by infected Windows host
FILE HASHES
MALWARE RETRIEVED FROM MY INFECTED HOSTS:
- SHA256 hash: 575f6764cc8041a1e7e22db8ed2db0eaa0a47989f6bfd26e63d867caa632225c
File size: 346,624 bytes
File name: invoice_143264.doc [any six random digits for the numbers]
File description: Word document with macro for Hancitor
- SHA256 hash: 56705514e3a93b7eb8a5555120eeb3f8b9b8e8a509dd0db2e7866dafcebb806a
File size: 35,396 bytes
File name: invoice_311706.js.doc [any six random digits for the numbers]
File description: JavaScript (.js) file to download and run Hancitor binary
- SHA256 hash: 27a7605e5246074d4eb119785d12d21d98833859f2623d95d56f3b3d9d6c1f37
File size: 61,440 bytes
File location: hxxp://getyourbrelicense.com/1.exe
File location: C:\Users\[username]\WinHost32.exe
File description: Hancitor binary retreived by the .js file
- SHA256 hash: f8d02d9c20b45e4b558080e332beb710719151533b30c25cc53984d88ccc6769
File size: 169,984 bytes
File location: C:\Users\[username]\AppData\Local\[existing directory path]\[random name].exe
File description: Zeus Panda Banker
IMAGES
Shown above: Malware persistent on the infected Windows host through the Windows Registry.
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the traffic: 2018-02-20-Hancitor-malspam-traffic.zip 2.2 MB (2,162,484 bytes)
- Zip archive of the emails: 2018-02-20-Hancitor-malspam-30-email-examples.txt.zip 2.8 kB (2,775 bytes)
- Zip archive of the malware: 2018-02-20-Hancitor-infection-malware-and-artifacts.zip 433 kB (432,569 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.