2018-02-28 - HANCITOR MALSPAM - FAKE EFAX MESSAGE
ASSOCIATED FILES:
- Zip archive of the traffic: 2018-02-28-Hancitor-malspam-infection-pcaps.zip 931 kB (930,863 bytes)
- 2018-02-28-Hancitor-infection-traffic-1st-run.pcap (327,381 bytes)
- 2018-02-28-Hancitor-infection-traffic-2nd-run.pcap (309,891 bytes)
- 2018-02-28-Hancitor-infection-traffic-3rd-run.pcap (421,314 bytes)
- Zip archive of the emails: 2018-02-28-Hancitor-malspam-20-email-examples.txt.zip 5.5 kB (5,547 bytes)
- 2018-02-28-Hancitor-malspam-20-email-examples.txt (80,869 bytes)
- Zip archive of the malware: 2018-02-28-Hancitor-infection-artifacts.zip 266 kB (265,994 bytes)
- 2018-02-28-Hancitor-maldoc-fax_933254.doc (240,640 bytes)
- 2018-02-28-Zeus-Panda-Banker.exe (188,928 bytes)
NOTES:
- I updated the hosts file in my Windows lab hosts to generate infection traffic with some (but not all) of the alternate domains used in the initial callback and follow-up downloads.
- Still seeing Pony, Evil Pony (both resident in memory), and Zeus Panda Banker (saved to disk) as the follow-up malware.
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domains and URLs:
- hnimanagement.com
- hnimgmt.com
- hnimgt.com
- kastarmgt.com
- kastarqsr.com
- myyogaberry.com
- starcorpinc.com
- thorsolberg.com
- yobe.me
- yoga-berry.com
- caledkedwron.com
- gotletmoked.ru
- ningtoftcaso.ru
- hxxp://hestfitness.com/lib/flex/uploader/1
- hxxp://hestfitness.com/lib/flex/uploader/2
- hxxp://hestfitness.com/lib/flex/uploader/4
- hxxp://gomezespejel.net/examples/1
- hxxp://gomezespejel.net/examples/2
- hxxp://gomezespejel.net/examples/4
- hxxp://nectarsinc.com/wp-content/plugins/siteorigin-panels/settings/1
- hxxp://nectarsinc.com/wp-content/plugins/siteorigin-panels/settings/2
- hxxp://nectarsinc.com/wp-content/plugins/siteorigin-panels/settings/4
- ofhahertit.com
EMAILS
Shown above: Screenshot from one of the emails.
EMAIL HEADERS:
- Date/Time: Wednesday 2018-02-28 as early as 15:50 UTC through at least 19:25 UTC
- Received: from ([68.62.127.160])<\li>
- Received: from cgmdev.com ([73.58.50.32])<\li>
- Received: from cgmdev.com ([74.87.9.154])<\li>
- Received: from cgmdev.com ([96.84.215.1])<\li>
- Received: from cgmdev.com ([207.228.111.162])<\li>
- Received: from hillusa.com ([24.167.98.71])<\li>
- Received: from hillusa.com ([63.116.5.146])<\li>
- Received: from hillusa.com ([67.52.197.46])<\li>
- Received: from hillusa.com ([108.58.46.222])<\li>
- Received: from hillusa.com ([184.70.252.186])<\li>
- Received: from mtytocn.com ([96.88.9.57])<\li>
- Received: from mtytocn.com ([108.228.169.90])<\li>
- Received: from sierrasignsaz.com ([23.25.119.25])<\li>
- Received: from sierrasignsaz.com ([24.29.19.205])<\li>
- Received: from sierrasignsaz.com ([45.50.34.188])<\li>
- Received: from sierrasignsaz.com ([70.168.199.133])<\li>
- Received: from sierrasignsaz.com ([72.24.104.186])<\li>
- Received: from sierrasignsaz.com ([74.113.59.181])<\li>
- Received: from sierrasignsaz.com ([98.187.252.218])<\li>
- Received: from sierrasignsaz.com ([206.116.57.53])<\li>
- From: "eFax , Inc." <message@cgmdev.com>
- From: "eFax , Inc." <message@hillusa.com>
- From: "eFax , Inc." <message@sierrasignsaz.com>
- From: "eFax " <message@hillusa.com>
- From: "eFax " <message@mtytocn.com>
- From: "eFax " <message@sierrasignsaz.com>
- From: "eFax j2 Global, Inc." <message@cgmdev.com>
- From: "eFax j2 Global, Inc." <message@hillusa.com>
- From: "eFax j2 Global, Inc." <message@sierrasignsaz.com>
- From: "eFax j2 Global" <message@cgmdev.com>
- From: "eFax j2 Global" <message@hillusa.com>
- From: "eFax j2 Global" <message@mtytocn.com>
- From: "eFax j2 Global" <message@sierrasignsaz.com>
- Subject: This is an automatic eFax Notice
- Subject: This is an automatic efax Notification
- Subject: This is an electronic eFax Notice
- Subject: This is an electronic efax Notification
- Subject: This is efax Notice
- Subject: This is eFax Notification
- Subject: You have received efax Message
- Subject: You've got eFax Notice
- Subject: You've got eFax Notification
- Subject: You've received eFax Message
- Subject: You've received efax Notification
Shown above: Malicious Word document downloaded from a link in the malspam.
TRAFFIC
Shown above: Traffic from an infection filtered in Wireshark.
LINKS IN THE EMAILS TO THE WORD DOCUMENT:
- hxxp://hnimanagement.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://hnimgmt.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://hnimgt.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://kastarmgt.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://kastarqsr.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://myyogaberry.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://starcorpinc.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://thorsolberg.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://yobe.me?[string of characters]=[encoded string representing recipient's email address]
- hxxp://yoga-berry.com?[string of characters]=[encoded string representing recipient's email address]
NETWORK TRAFFIC FROM MY INFECTED LAB HOSTS:
- 185.36.102.227 port 80 - caledkedwron.com - POST /ls5/forum.php
- 185.36.102.227 port 80 - caledkedwron.com - POST /mlu/forum.php
- 185.36.102.227 port 80 - caledkedwron.com - POST /d2/about.php
- 104.237.129.124 port 80 - hestfitness.com - GET /lib/flex/uploader/1
- 104.237.129.124 port 80 - hestfitness.com - GET /lib/flex/uploader/2
- 104.237.129.124 port 80 - hestfitness.com - GET /lib/flex/uploader/4
- 185.154.52.109 port 443 - ofhahertit.com - HTTPS/SSL/TLS traffic from Zeus Panda Banker
- 91.214.119.59 port 80 - gotletmoked.ru - POST /ls5/forum.php
- 91.214.119.59 port 80 - gotletmoked.ru - POST /mlu/forum.php
- 91.214.119.59 port 80 - gotletmoked.ru - POST /d2/about.php
- 173.247.253.159 port 80 - gomezespejel.net - GET /examples/1
- 173.247.253.159 port 80 - gomezespejel.net - GET /examples/2
- 173.247.253.159 port 80 - gomezespejel.net - GET /examples/4
- 185.154.52.109 port 443 - ofhahertit.com - HTTPS/SSL/TLS traffic from Zeus Panda Banker
- 78.155.220.218 port 80 - ningtoftcaso.ru - POST /ls5/forum.php
- 78.155.220.218 port 80 - ningtoftcaso.ru - POST /mlu/forum.php
- 78.155.220.218 port 80 - ningtoftcaso.ru - POST /d2/about.php
- 192.254.233.176 port 80 - nectarsinc.com - GET /wp-content/plugins/siteorigin-panels/settings/1
- 192.254.233.176 port 80 - nectarsinc.com - GET /wp-content/plugins/siteorigin-panels/settings/2
- 192.254.233.176 port 80 - nectarsinc.com - GET /wp-content/plugins/siteorigin-panels/settings/4
- 185.154.52.109 port 443 - ofhahertit.com - HTTPS/SSL/TLS traffic from Zeus Panda Banker
FILE HASHES
MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:
- SHA256 hash: 5209e6d4028b82cd1a59b737ea34a69cfa924a0d690c57b52eaeb2d31868d88f
File size: 240,640 bytes
File name: fax_933254.doc [any six random digits for the numbers]
File description: Word document with macro for Hancitor
- SHA256 hash: d04124e357f6755e21cd36fefccfd7eec1a09148f41aaea25cbd326690bd4f23
File size: 188,928 bytes
File location: C:\Users\[username]\AppData\Local\[existing directory path]\[random name].exe
File description: Zeus Panda Banker
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the traffic: 2018-02-28-Hancitor-malspam-infection-pcaps.zip 931 kB (930,863 bytes)
- Zip archive of the emails: 2018-02-28-Hancitor-malspam-20-email-examples.txt.zip 5.5 kB (5,547 bytes)
- Zip archive of the malware: 2018-02-28-Hancitor-infection-artifacts.zip 266 kB (265,994 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.