2018-02-20 - HANCITOR MALSPAM - FAKE ADP PAYROLL INVOICE

ASSOCIATED FILES:

• Zip archive of the traffic:  2018-02-20-Hancitor-malspam-traffic.zip   2.2 MB (2,162,484 bytes)

• 2018-02-20-Hancitor-JS-file-download-and-infection-traffic.pcap   (2,173,787 bytes)
• 2018-02-20-Hancitor-maldoc-download-only.pcap   (376,904 bytes)

• Zip archive of the emails:  2018-02-20-Hancitor-malspam-30-email-examples.txt.zip   2.8 kB (2,775 bytes)

• 2018-02-20-Hancitor-malspam-30-email-examples.txt   (30,105 bytes)

• Zip archive of the malware:  2018-02-20-Hancitor-infection-malware-and-artifacts.zip   433 kB (432,569 bytes)

• 2018-02-20-Hancitor-binary.exe   (61,440 bytes)
• 2018-02-20-Hancitor-downloader-invoice_311706.js   (35,396 bytes)
• 2018-02-20-Hancitor-maldoc-invoice_143264.doc   (346,624 bytes)
• 2018-02-20-Zeus-Panda-Banker.exe   (169,984 bytes)

NOTES:

• Links from the malspam with /adp.php in the URL returned JavaScript (.js) files.
• Links from the malspam without /adp.php in the URL returned a Word document.
• The .js files downloaded Hancitor as a binary.
• The Word documents had a malicious macro that contained the Hancitor malware.
• As usual, we saw 3 follow-up downloads for Pony, Evil Pony, and Zeus Panda Banker.
• As usual, Pony and Evil Pony were resident in the infected host's memory, while Zeus Panda Banker was stored to disk.

Shown above:  Flowchart for today's Hancitor infection traffic.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

• beasecurityguard.com
• brelicensewithus.com
• foodhandlerlicense.com
• getabrelicense.com
• getyourbrelicense.com
• premierrealestateschools.info
• premierrealestateschools.org
• realestatelicense.la
• realestateschools.training
• realestatesschools.academy
• securityguardschooling.com
• rymoonthen.com
• hxxp://uttamah.com/wp-content/plugins/pretty-link/includes/1
• hxxp://uttamah.com/wp-content/plugins/pretty-link/includes/2
• hxxp://uttamah.com/wp-content/plugins/pretty-link/includes/3
• lyhemsasit.ru

 

EMAILS

Shown above:  Screenshot from one of the emails with link to a .js file.

 

Shown above:  Downloading a .js file from one of the emails.

 

Shown above:  Screenshot from one of the emails with link to a Word document.

 

Shown above:  Downloading a Word document from one of the emails.

 

EMAIL HEADERS:

• Date/Time:  Tuesday 2018-02-20 as early as 15:47 through at least 20:12 UTC
• From (spoofed): "ADP, LLC" <un.payroll.invoice@apdm.com>

• Received: from ([75.144.249.209])
• Received: from ([76.237.148.143])
• Received: from apdm.com ([12.118.41.74])
• Received: from apdm.com ([24.18.144.193])
• Received: from apdm.com ([24.213.39.82])
• Received: from apdm.com ([47.190.13.102])
• Received: from apdm.com ([50.75.129.98])
• Received: from apdm.com ([50.77.19.245])
• Received: from apdm.com ([50.248.80.249])
• Received: from apdm.com ([64.31.248.50])
• Received: from apdm.com ([64.183.12.86])
• Received: from apdm.com ([65.153.153.118])
• Received: from apdm.com ([69.4.50.182])
• Received: from apdm.com ([70.91.150.67])
• Received: from apdm.com ([71.15.218.215])
• Received: from apdm.com ([72.76.45.178])
• Received: from apdm.com ([75.146.239.186])
• Received: from apdm.com ([117.240.183.117])
• Received: from apdm.com ([173.186.35.186])
• Received: from apdm.com ([173.209.154.162])
• Received: from apdm.com ([173.235.8.204])
• Received: from apdm.com ([185.99.139.214])
• Received: from apdm.com ([207.194.39.194])
• Received: from apdm.com ([208.67.102.180])
• Received: from apdm.com ([209.118.33.114])
• Received: from apdm.com ([216.7.131.82])
• Received: from apdm.com ([216.82.193.52])
• Received: from apdm.com ([216.218.189.211])
• Received: from apdm.com ([217.155.10.198])
• Received: from apdm.com ([218.197.8.26])

• Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 047165040
• Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 062383653
• Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 068118517
• Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 068385525
• Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 081870747
• Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 206611543
• Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 224331466
• Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 265360856
• Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 273258344
• Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 278020070
• Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 281036532
• Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 282152613
• Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 285474521
• Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 324623486
• Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 344321326
• Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 352164242
• Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 370563263
• Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 381310557
• Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 414713572
• Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 451315017
• Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 526237504
• Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 546271588
• Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 567075811
• Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 582484510
• Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 660404721
• Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 665524514
• Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 745258322
• Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 822521504
• Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 834775063
• Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 841467436
• Subject: ADP Payroll Invoice for week ending 02/16/2018 - 01728. Invoice: 861551581

 

TRAFFIC

Shown above:  Traffic from an .js-based Hancitor infection filtered in Wireshark.

 

LINKS IN THE EMAILS TO THE WORD DOCUMENT:

• hxxp://beasecurityguard.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://brelicensewithus.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://brelicensewithus.com/adp.php?[string of characters]=[encoded string representing recipient's email address]
• hxxp://foodhandlerlicense.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://getabrelicense.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://getabrelicense.com/adp.php?[string of characters]=[encoded string representing recipient's email address]
• hxxp://getyourbrelicense.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://premierrealestateschools.info?[string of characters]=[encoded string representing recipient's email address]
• hxxp://premierrealestateschools.org?[string of characters]=[encoded string representing recipient's email address]
• hxxp://realestatelicense.la?[string of characters]=[encoded string representing recipient's email address]
• hxxp://realestateschools.training?[string of characters]=[encoded string representing recipient's email address]
• hxxp://realestatesschools.academy?[string of characters]=[encoded string representing recipient's email address]
• hxxp://realestatesschools.academy/adp.php?[string of characters]=[encoded string representing recipient's email address]
• hxxp://securityguardschooling.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://securityguardschooling.com/adp.php?[string of characters]=[encoded string representing recipient's email address]

NETWORK TRAFFIC FROM MY INFECTED LAB HOST (.JS-BASED INFECTION):

• 92.53.78.188 port 80 - securityguardschooling.com - GET /adp.php?[string of characters]=[encoded string representing recipient's email address]
• 92.53.78.188 port 80 - getyourbrelicense.com - GET /1.exe
• api.ipify.org - GET /
• 37.230.228.150 port 80 - rymoonthen.com - POST /ls5/forum.php
• 37.230.228.150 port 80 - rymoonthen.com - POST /mlu/forum.php
• 37.230.228.150 port 80 - rymoonthen.com - POST /d2/about.php
• 192.254.232.169 port 80 - uttamah.com - GET /wp-content/plugins/pretty-link/includes/1
• 192.254.232.169 port 80 - uttamah.com - GET /wp-content/plugins/pretty-link/includes/2
• 192.254.232.169 port 80 - uttamah.com - GET /wp-content/plugins/pretty-link/includes/3
• 185.48.239.33 port 443 - lyhemsasit.ru - HTTPS/SSL/TLS traffic caused by Zeus Panda Banker
• www.google.com - HTTPS traffic, probably a connectivity check by infected Windows host

 

FILE HASHES

MALWARE RETRIEVED FROM MY INFECTED HOSTS:

• SHA256 hash:  575f6764cc8041a1e7e22db8ed2db0eaa0a47989f6bfd26e63d867caa632225c
  File size:  346,624 bytes
  File name:  invoice_143264.doc [any six random digits for the numbers]
  File description:  Word document with macro for Hancitor

• SHA256 hash:  56705514e3a93b7eb8a5555120eeb3f8b9b8e8a509dd0db2e7866dafcebb806a
  File size:  35,396 bytes
  File name:  invoice_311706.js.doc [any six random digits for the numbers]
  File description:  JavaScript (.js) file to download and run Hancitor binary

• SHA256 hash:  27a7605e5246074d4eb119785d12d21d98833859f2623d95d56f3b3d9d6c1f37
  File size:  61,440 bytes
  File location: hxxp://getyourbrelicense.com/1.exe
  File location: C:\Users\[username]\WinHost32.exe
  File description:  Hancitor binary retreived by the .js file

• SHA256 hash:  f8d02d9c20b45e4b558080e332beb710719151533b30c25cc53984d88ccc6769
  File size:  169,984 bytes
  File location:  C:\Users\[username]\AppData\Local\[existing directory path]\[random name].exe
  File description:  Zeus Panda Banker

 

IMAGES

Shown above:  Malware persistent on the infected Windows host through the Windows Registry.

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the traffic:  2018-02-20-Hancitor-malspam-traffic.zip   2.2 MB (2,162,484 bytes)
• Zip archive of the emails:  2018-02-20-Hancitor-malspam-30-email-examples.txt.zip   2.8 kB (2,775 bytes)
• Zip archive of the malware:  2018-02-20-Hancitor-infection-malware-and-artifacts.zip   433 kB (432,569 bytes)

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.