2018-03-06 - HANCITOR MALSPAM - FAKE DOCUSIGN NOTICE

ASSOCIATED FILES:

• Zip archive of the traffic:  2018-03-06-Hancitor-malspam-infection-traffic.pcap.zip   2.2 MB (2,177,639 bytes)

• 2018-03-06-Hancitor-malspam-infection-traffic.pcap   (2,561,762 bytes)

• Zip archive of the emails:  2018-03-06-Hancitor-malspam-26-email-examples.txt.zip   7.5 kB (7,454 bytes)

• 2018-03-06-Hancitor-malspam-26-email-examples.txt   (162,412 bytes)

• Zip archive of the malware:  2018-03-06-Hancitor-infection-artifacts.zip   252 kB (251,822 bytes)

• 2018-03-06-Hancitor-maldoc-invoice_387239.doc   (259,072 bytes)
• 2018-03-06-Zeus-Panda-Banker.exe   (164,352 bytes)

NOTES:

• As usual, for the 3 follow-up downloads, we're still seeing Pony, Evil Pony (both resident in memory), and Zeus Panda Banker (saved to disk).
• The block list contains additional post-infection URLs originally reported by @Techhelplistcom on the VirusTotal entry for today's Word document.
• As always, thanks to everyone who keeps an eye on this malspam and reports about it on Twitter.  Your tweets help more than you realize.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

• babyfurniturewarehouse.com
• buildwith307.com
• carrythelamp.net
• dickswingsgrill.com
• freedomtonurse.net
• freeholdsurgical.net
• freeholdsurgical.org
• hnigrp.com
• hniltd.com
• myyobe.biz
• nightingalenurses.org
• wingsfinger.com
• wingsfingers.com
• tebabretof.com
• dinglebetna.ru
• etranutha.ru
• hxxp://gamesfree247.info/1
• hxxp://gamesfree247.info/2
• hxxp://gamesfree247.info/3
• hxxp://ncbc.co.za/wp-content/plugins/twg-members/1
• hxxp://ncbc.co.za/wp-content/plugins/twg-members/2
• hxxp://ncbc.co.za/wp-content/plugins/twg-members/3
• hxxp://lifemotivator.tv/wp-content/plugins/contact-form-7/includes/1
• hxxp://lifemotivator.tv/wp-content/plugins/contact-form-7/includes/2
• hxxp://lifemotivator.tv/wp-content/plugins/contact-form-7/includes/3
• hxxp://gigabitsoftware.com/wp-content/plugins/backupbuddy/1
• hxxp://gigabitsoftware.com/wp-content/plugins/backupbuddy/2
• hxxp://gigabitsoftware.com/wp-content/plugins/backupbuddy/3
• hxxp://printforall.ro/wp-content/plugins/simple-meta-tags/1
• hxxp://printforall.ro/wp-content/plugins/simple-meta-tags/2
• hxxp://printforall.ro/wp-content/plugins/simple-meta-tags/3
• ofhahertit.com

 

EMAILS

Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

• Date/Time:  Tuesday 2018-03-06 as early as 17:40 UTC through at least 20:59 UTC

• Received: from bandgequipment.com ([24.37.246.50])
• Received: from bandgequipment.com ([24.123.173.42])
• Received: from bandgequipment.com ([24.197.23.66])
• Received: from bandgequipment.com ([50.27.155.34])
• Received: from bandgequipment.com ([50.192.158.228])
• Received: from bandgequipment.com ([67.185.1.213])
• Received: from bandgequipment.com ([68.173.167.190])
• Received: from bandgequipment.com ([69.67.101.131])
• Received: from bandgequipment.com ([70.168.199.133])
• Received: from bandgequipment.com ([71.95.218.234])
• Received: from bandgequipment.com ([75.88.14.241])
• Received: from bandgequipment.com ([97.84.33.210])
• Received: from bandgequipment.com ([98.101.194.106])
• Received: from bandgequipment.com ([100.8.232.154])
• Received: from bandgequipment.com ([131.161.86.199])
• Received: from bandgequipment.com ([137.101.218.89])
• Received: from bandgequipment.com ([137.188.108.19])
• Received: from bandgequipment.com ([173.12.239.115])
• Received: from bandgequipment.com ([184.71.42.34])
• Received: from bandgequipment.com ([206.63.234.219])
• Received: from bandgequipment.com ([216.3.207.162])
• Received: from nxgndata.com ([50.255.94.41])
• Received: from nxgndata.com ([67.213.231.13])
• Received: from nxgndata.com ([72.93.244.154])
• Received: from nxgndata.com ([173.12.239.115])
• Received: from nxgndata.com ([184.71.42.34])

• From: "DocuSign Electronic Signature  Service" <invoice@bandgequipment.com>
• From: "DocuSign Electronic Signature " <invoice@bandgequipment.com>
• From: "DocuSign Electronic Signature " <invoice@nxgndata.com>
• From: "DocuSign Electronic Signature and Invoice Service" <invoice@bandgequipment.com>
• From: "DocuSign Electronic Signature and Invoice Service" <invoice@nxgndata.com>
• From: "DocuSign Electronic Signature and Invoice" <invoice@bandgequipment.com>
• From: "DocuSign Signature  Service" <invoice@bandgequipment.com>
• From: "DocuSign Signature  Service" <invoice@nxgndata.com>
• From: "DocuSign Signature " <invoice@bandgequipment.com>
• From: "DocuSign Signature " <invoice@nxgndata.com>
• From: "DocuSign Signature and Invoice Service" <invoice@bandgequipment.com>
• From: "DocuSign Signature and Invoice" <invoice@bandgequipment.com>
• From: "DocuSign Signature and Invoice" <invoice@nxgndata.com>

• Subject: You got invoice from DocuSign Electronic Service
• Subject: You got invoice from DocuSign Electronic Signature Service
• Subject: You got invoice from DocuSign Signature Service
• Subject: You got notification from DocuSign Service
• Subject: You got notification from DocuSign Signature Service
• Subject: You received invoice from DocuSign Electronic Service
• Subject: You received invoice from DocuSign Electronic Signature Service
• Subject: You received invoice from DocuSign Service
• Subject: You received invoice from DocuSign Signature Service
• Subject: You received notification from DocuSign Electronic Service
• Subject: You received notification from DocuSign Electronic Signature Service
• Subject: You received notification from DocuSign Service
• Subject: You received notification from DocuSign Signature Service

 

Shown above:  Malicious Word document downloaded from a link in the malspam.

 

TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

LINKS IN THE EMAILS FOR THE WORD DOCUMENT:

• hxxp://babyfurniturewarehouse.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://buildwith307.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://carrythelamp.net?[string of characters]=[encoded string representing recipient's email address]
• hxxp://dickswingsgrill.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://freedomtonurse.net?[string of characters]=[encoded string representing recipient's email address]
• hxxp://freeholdsurgical.net?[string of characters]=[encoded string representing recipient's email address]
• hxxp://freeholdsurgical.org?[string of characters]=[encoded string representing recipient's email address]
• hxxp://hnigrp.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://hniltd.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://myyobe.biz?[string of characters]=[encoded string representing recipient's email address]
• hxxp://nightingalenurses.org?[string of characters]=[encoded string representing recipient's email address]
• hxxp://wingsfinger.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://wingsfingers.com?[string of characters]=[encoded string representing recipient's email address]

NETWORK TRAFFIC FROM AN INFECTED LAB HOST:

• 95.213.203.60 port 80 - buildwith307.com - GET /?[string of characters]=[encoded string representing recipient's email address]
• port 80 - api.ipify.org - GET /
• 185.74.255.109 port 80 - tebabretof.com - POST /ls5/forum.php
• 185.74.255.109 port 80 - tebabretof.com - POST /mlu/forum.php
• 185.74.255.109 port 80 - tebabretof.com - POST /d2/about.php
• 192.232.223.48 port 80 - gamesfree247.info - GET /1
• 192.232.223.48 port 80 - gamesfree247.info - GET /2
• 192.232.223.48 port 80 - gamesfree247.info - GET /3
• 192.71.247.158 port 443 - ofhahertit.com - HTTPS/SSL/TLS traffic from Zeus Panda Banker
• port 443 - google.com - connectivity check caused by Zeus Panda Banker

 

FILE HASHES

MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:

• SHA256 hash:  60149abf042392e352795c4bb2d731a75332e4bceb0daf83164baa0dcfa0dcd3
  File size:  259,072 bytes
  File name:  invoice_387239.doc [any six random digits for the numbers]
  File description:  Word document with macro for Hancitor

• SHA256 hash:  f6df24d8a669b5ad298a47b9cd7fb2800e46c2cac75ee519955137b7d2abdb6f
  File size:  164,352 bytes
  File location:  C:\Users\[username]\AppData\Local\[existing directory path]\[random name].exe
  File description:  Zeus Panda Banker

 

IMAGES

Shown above:  Zeus Panda Banker persistent on an infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the traffic:  2018-03-06-Hancitor-malspam-infection-traffic.pcap.zip   2.2 MB (2,177,639 bytes)
• Zip archive of the emails:  2018-03-06-Hancitor-malspam-26-email-examples.txt.zip   7.5 kB (7,454 bytes)
• Zip archive of the malware:  2018-03-06-Hancitor-infection-artifacts.zip   252 kB (251,822 bytes)

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.