2018-03-06 - HANCITOR MALSPAM - FAKE DOCUSIGN NOTICE
ASSOCIATED FILES:
- Zip archive of the traffic: 2018-03-06-Hancitor-malspam-infection-traffic.pcap.zip 2.2 MB (2,177,639 bytes)
- 2018-03-06-Hancitor-malspam-infection-traffic.pcap (2,561,762 bytes)
- Zip archive of the emails: 2018-03-06-Hancitor-malspam-26-email-examples.txt.zip 7.5 kB (7,454 bytes)
- 2018-03-06-Hancitor-malspam-26-email-examples.txt (162,412 bytes)
- Zip archive of the malware: 2018-03-06-Hancitor-infection-artifacts.zip 252 kB (251,822 bytes)
- 2018-03-06-Hancitor-maldoc-invoice_387239.doc (259,072 bytes)
- 2018-03-06-Zeus-Panda-Banker.exe (164,352 bytes)
NOTES:
- As usual, for the 3 follow-up downloads, we're still seeing Pony, Evil Pony (both resident in memory), and Zeus Panda Banker (saved to disk).
- The block list contains additional post-infection URLs originally reported by @Techhelplistcom on the VirusTotal entry for today's Word document.
- As always, thanks to everyone who keeps an eye on this malspam and reports about it on Twitter. Your tweets help more than you realize.
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domains and URLs:
- babyfurniturewarehouse.com
- buildwith307.com
- carrythelamp.net
- dickswingsgrill.com
- freedomtonurse.net
- freeholdsurgical.net
- freeholdsurgical.org
- hnigrp.com
- hniltd.com
- myyobe.biz
- nightingalenurses.org
- wingsfinger.com
- wingsfingers.com
- tebabretof.com
- dinglebetna.ru
- etranutha.ru
- hxxp://gamesfree247.info/1
- hxxp://gamesfree247.info/2
- hxxp://gamesfree247.info/3
- hxxp://ncbc.co.za/wp-content/plugins/twg-members/1
- hxxp://ncbc.co.za/wp-content/plugins/twg-members/2
- hxxp://ncbc.co.za/wp-content/plugins/twg-members/3
- hxxp://lifemotivator.tv/wp-content/plugins/contact-form-7/includes/1
- hxxp://lifemotivator.tv/wp-content/plugins/contact-form-7/includes/2
- hxxp://lifemotivator.tv/wp-content/plugins/contact-form-7/includes/3
- hxxp://gigabitsoftware.com/wp-content/plugins/backupbuddy/1
- hxxp://gigabitsoftware.com/wp-content/plugins/backupbuddy/2
- hxxp://gigabitsoftware.com/wp-content/plugins/backupbuddy/3
- hxxp://printforall.ro/wp-content/plugins/simple-meta-tags/1
- hxxp://printforall.ro/wp-content/plugins/simple-meta-tags/2
- hxxp://printforall.ro/wp-content/plugins/simple-meta-tags/3
- ofhahertit.com
EMAILS
Shown above: Screenshot from one of the emails.
EMAIL HEADERS:
- Date/Time: Tuesday 2018-03-06 as early as 17:40 UTC through at least 20:59 UTC
- Received: from bandgequipment.com ([24.37.246.50])
- Received: from bandgequipment.com ([24.123.173.42])
- Received: from bandgequipment.com ([24.197.23.66])
- Received: from bandgequipment.com ([50.27.155.34])
- Received: from bandgequipment.com ([50.192.158.228])
- Received: from bandgequipment.com ([67.185.1.213])
- Received: from bandgequipment.com ([68.173.167.190])
- Received: from bandgequipment.com ([69.67.101.131])
- Received: from bandgequipment.com ([70.168.199.133])
- Received: from bandgequipment.com ([71.95.218.234])
- Received: from bandgequipment.com ([75.88.14.241])
- Received: from bandgequipment.com ([97.84.33.210])
- Received: from bandgequipment.com ([98.101.194.106])
- Received: from bandgequipment.com ([100.8.232.154])
- Received: from bandgequipment.com ([131.161.86.199])
- Received: from bandgequipment.com ([137.101.218.89])
- Received: from bandgequipment.com ([137.188.108.19])
- Received: from bandgequipment.com ([173.12.239.115])
- Received: from bandgequipment.com ([184.71.42.34])
- Received: from bandgequipment.com ([206.63.234.219])
- Received: from bandgequipment.com ([216.3.207.162])
- Received: from nxgndata.com ([50.255.94.41])
- Received: from nxgndata.com ([67.213.231.13])
- Received: from nxgndata.com ([72.93.244.154])
- Received: from nxgndata.com ([173.12.239.115])
- Received: from nxgndata.com ([184.71.42.34])
- From: "DocuSign Electronic Signature Service" <invoice@bandgequipment.com>
- From: "DocuSign Electronic Signature " <invoice@bandgequipment.com>
- From: "DocuSign Electronic Signature " <invoice@nxgndata.com>
- From: "DocuSign Electronic Signature and Invoice Service" <invoice@bandgequipment.com>
- From: "DocuSign Electronic Signature and Invoice Service" <invoice@nxgndata.com>
- From: "DocuSign Electronic Signature and Invoice" <invoice@bandgequipment.com>
- From: "DocuSign Signature Service" <invoice@bandgequipment.com>
- From: "DocuSign Signature Service" <invoice@nxgndata.com>
- From: "DocuSign Signature " <invoice@bandgequipment.com>
- From: "DocuSign Signature " <invoice@nxgndata.com>
- From: "DocuSign Signature and Invoice Service" <invoice@bandgequipment.com>
- From: "DocuSign Signature and Invoice" <invoice@bandgequipment.com>
- From: "DocuSign Signature and Invoice" <invoice@nxgndata.com>
- Subject: You got invoice from DocuSign Electronic Service
- Subject: You got invoice from DocuSign Electronic Signature Service
- Subject: You got invoice from DocuSign Signature Service
- Subject: You got notification from DocuSign Service
- Subject: You got notification from DocuSign Signature Service
- Subject: You received invoice from DocuSign Electronic Service
- Subject: You received invoice from DocuSign Electronic Signature Service
- Subject: You received invoice from DocuSign Service
- Subject: You received invoice from DocuSign Signature Service
- Subject: You received notification from DocuSign Electronic Service
- Subject: You received notification from DocuSign Electronic Signature Service
- Subject: You received notification from DocuSign Service
- Subject: You received notification from DocuSign Signature Service
Shown above: Malicious Word document downloaded from a link in the malspam.
TRAFFIC
Shown above: Traffic from an infection filtered in Wireshark.
LINKS IN THE EMAILS FOR THE WORD DOCUMENT:
- hxxp://babyfurniturewarehouse.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://buildwith307.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://carrythelamp.net?[string of characters]=[encoded string representing recipient's email address]
- hxxp://dickswingsgrill.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://freedomtonurse.net?[string of characters]=[encoded string representing recipient's email address]
- hxxp://freeholdsurgical.net?[string of characters]=[encoded string representing recipient's email address]
- hxxp://freeholdsurgical.org?[string of characters]=[encoded string representing recipient's email address]
- hxxp://hnigrp.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://hniltd.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://myyobe.biz?[string of characters]=[encoded string representing recipient's email address]
- hxxp://nightingalenurses.org?[string of characters]=[encoded string representing recipient's email address]
- hxxp://wingsfinger.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://wingsfingers.com?[string of characters]=[encoded string representing recipient's email address]
NETWORK TRAFFIC FROM AN INFECTED LAB HOST:
- 95.213.203.60 port 80 - buildwith307.com - GET /?[string of characters]=[encoded string representing recipient's email address]
- port 80 - api.ipify.org - GET /
- 185.74.255.109 port 80 - tebabretof.com - POST /ls5/forum.php
- 185.74.255.109 port 80 - tebabretof.com - POST /mlu/forum.php
- 185.74.255.109 port 80 - tebabretof.com - POST /d2/about.php
- 192.232.223.48 port 80 - gamesfree247.info - GET /1
- 192.232.223.48 port 80 - gamesfree247.info - GET /2
- 192.232.223.48 port 80 - gamesfree247.info - GET /3
- 192.71.247.158 port 443 - ofhahertit.com - HTTPS/SSL/TLS traffic from Zeus Panda Banker
- port 443 - google.com - connectivity check caused by Zeus Panda Banker
FILE HASHES
MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:
- SHA256 hash: 60149abf042392e352795c4bb2d731a75332e4bceb0daf83164baa0dcfa0dcd3
File size: 259,072 bytes
File name: invoice_387239.doc [any six random digits for the numbers]
File description: Word document with macro for Hancitor
- SHA256 hash: f6df24d8a669b5ad298a47b9cd7fb2800e46c2cac75ee519955137b7d2abdb6f
File size: 164,352 bytes
File location: C:\Users\[username]\AppData\Local\[existing directory path]\[random name].exe
File description: Zeus Panda Banker
IMAGES
Shown above: Zeus Panda Banker persistent on an infected Windows host.
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the traffic: 2018-03-06-Hancitor-malspam-infection-traffic.pcap.zip 2.2 MB (2,177,639 bytes)
- Zip archive of the emails: 2018-03-06-Hancitor-malspam-26-email-examples.txt.zip 7.5 kB (7,454 bytes)
- Zip archive of the malware: 2018-03-06-Hancitor-infection-artifacts.zip 252 kB (251,822 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.