2018-03-07 - HANCITOR MALSPAM - FAKE PAYPAL NOTICE
ASSOCIATED FILES:
- Zip archive of the traffic: 2018-03-07-Hancitor-malspam-infection-traffic.zip 2.2 MB (2,224,049 bytes)
- 2018-03-07-Hancitor-infection-traffic.pcap (2,484,788 bytes)
- 2018-03-07-Zeus-Panda-Banker-infection-traffic.pcap (15,218 bytes)
- Zip archive of the emails: 2018-03-07-Hancitor-malspam-26-email-examples.txt.zip 13.5 kB (13,512 bytes)
- 2018-03-07-Hancitor-malspam-26-email-examples.txt (442,183 bytes)
- Zip archive of the malware: 2018-03-07-Hancitor-infection-artifacts.zip 233 kB (233,430 bytes)
- 2018-03-07-Hancitor-maldoc-invoice_276194.doc (226,304 bytes)
- 2018-03-07-Zeus-Panda-Banker.exe (163,840 bytes)
NOTES:
- As usual, for the 3 follow-up downloads, we're still seeing Pony, Evil Pony (both resident in memory), and Zeus Panda Banker (saved to disk).
- The block list contains additional post-infection URLs originally reported by @Techhelplistcom on the VirusTotal entry for today's Word document.
- My thanks to @Techhelplistcom, @James_inthe_box, and everyone else who keeps an eye on this malspam and reports about it near-real-time on Twitter.
Shown above: Screenshot from one of the emails.
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domains and URLs:
- batcommunications.com
- creditdamageconsultant.com
- florida-pawn.com
- hnimgmt.com
- hollywood-pawn.com
- kanzlercompanies.com
- kastarqsr.com
- margate-pawn.com
- morris-law-firm.com
- myyogaberry.com
- starcorpinc.com
- toetallynailed.com
- cirewandbut.com
- babronwronot.ru
- romfinothad.ru
- hxxp://mypartnerforever.me/wp-includes/customize/1
- hxxp://mypartnerforever.me/wp-includes/customize/2
- hxxp://mypartnerforever.me/wp-includes/customize/3
- hxxp://euforia-piekna.pl/wp-content/plugins/thumbnail-for-excerpts/1
- hxxp://euforia-piekna.pl/wp-content/plugins/thumbnail-for-excerpts/2
- hxxp://euforia-piekna.pl/wp-content/plugins/thumbnail-for-excerpts/3
- hxxp://helpfulcrooks.com/wp-content/plugins/bwp-recent-comments/includes/1
- hxxp://helpfulcrooks.com/wp-content/plugins/bwp-recent-comments/includes/2
- hxxp://helpfulcrooks.com/wp-content/plugins/bwp-recent-comments/includes/3
- hxxp://prontohotel.fr/reiseblog/wp-content/plugins/wp-no-category-base/1
- hxxp://prontohotel.fr/reiseblog/wp-content/plugins/wp-no-category-base/2
- hxxp://prontohotel.fr/reiseblog/wp-content/plugins/wp-no-category-base/3
- hxxp://eng.mhb.mx/wp-content/plugins/get-the-image/1
- hxxp://eng.mhb.mx/wp-content/plugins/get-the-image/2
- hxxp://eng.mhb.mx/wp-content/plugins/get-the-image/3
- diheclerow.ru
EMAILS
Shown above: Screenshot from one of the emails.
EMAIL HEADERS:
- Date/Time: Wednesday 2018-03-07 as early as 16:28 UTC through at least 18:52 UTC
- Received: from rachelallan.com ([24.43.154.229])
- Received: from rachelallan.com ([67.212.207.69])
- Received: from rachelallan.com ([68.185.227.33])
- Received: from rachelallan.com ([70.90.35.129])
- Received: from rachelallan.com ([75.145.156.49])
- Received: from trivalleyurology.com ([24.240.172.42])
- Received: from trivalleyurology.com ([50.247.22.145])
- Received: from trivalleyurology.com ([50.248.192.49])
- Received: from trivalleyurology.com ([66.97.110.230])
- Received: from trivalleyurology.com ([67.221.222.194])
- Received: from trivalleyurology.com ([70.182.4.13])
- Received: from trivalleyurology.com ([71.206.183.184])
- Received: from trivalleyurology.com ([73.103.77.175])
- Received: from trivalleyurology.com ([73.237.189.90])
- Received: from trivalleyurology.com ([75.106.127.147])
- Received: from trivalleyurology.com ([75.129.211.11])
- Received: from trivalleyurology.com ([76.70.31.65])
- Received: from trivalleyurology.com ([96.82.224.81])
- Received: from trivalleyurology.com ([99.254.166.184])
- Received: from trivalleyurology.com ([108.20.23.234])
- Received: from trivalleyurology.com ([108.189.55.3])
- Received: from trivalleyurology.com ([199.5.189.237])
- Received: from trivalleyurology.com ([206.127.114.54])
- Received: from trivalleyurology.com ([207.150.250.2])
- Received: from trivalleyurology.com ([208.80.167.34])
- From: "PayPal Inc" <invoice@rachelallan.com>
- From: "PayPal Inc" <invoice@trivalleyurology.com>
- From: "PayPal Invoice Service" <invoice@rachelallan.com>
- From: "PayPal Invoice Service" <invoice@trivalleyurology.com>
- From: "PayPal Services" <invoice@rachelallan.com>
- From: "PayPal Services" <invoice@trivalleyurology.com>
- Subject: PayPal Message
- Subject: PayPal Notification
- Subject: PayPal Invoice Message
- Subject: PayPal Invoice Notification
- Subject: PayPal Automated Message
- Subject: PayPal Automated Notice
- Subject: PayPal Automated Notification
- Subject: PayPal Automated Invoice Message
- Subject: PayPal Automated Invoice Notification
- Subject: PayPal Automatic Message
- Subject: PayPal Automatic Notice
- Subject: PayPal Automatic Notification
- Subject: PayPal Automatic Invoice Message
- Subject: PayPal Electronic Message
- Subject: PayPal Electronic Notice
- Subject: PayPal Electronic Invoice Message
- Subject: PayPal Electronic Invoice Notice
- Subject: PayPal Electronic Invoice Notification
Shown above: Clicking on a link from one of the malspam examples.
Shown above: Malicious Word document downloaded from link in the malspam.
TRAFFIC
Shown above: Traffic from an infection filtered in Wireshark.
Shown above: Zeus Panda Banker traffic filtered in Wireshark.
LINKS IN THE EMAILS FOR THE WORD DOCUMENT:
- hxxp://batcommunications.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://hnimgmt.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://hnimgmt.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://hnimgmt.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://hollywood-pawn.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://kastarqsr.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://kastarqsr.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://margate-pawn.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://morris-law-firm.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://myyogaberry.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://starcorpinc.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://toetallynailed.com?[string of characters]=[encoded string representing recipient's email address]
NETWORK TRAFFIC FROM AN INFECTED LAB HOST:
- 95.213.200.176 port 80 - batcommunications.com - GET /?[string of characters]=[encoded string representing recipient's email address]
- port 80 - api.ipify.org - GET /
- 93.189.40.107 port 80 - cirewandbut.com - POST /ls5/forum.php
- 93.189.40.107 port 80 - cirewandbut.com - POST /mlu/forum.php
- 93.189.40.107 port 80 - cirewandbut.com - POST /d2/about.php
- 192.254.185.27 port 80 - mypartnerforever.me - GET /wp-includes/customize/1
- 192.254.185.27 port 80 - mypartnerforever.me - GET /wp-includes/customize/2
- 192.254.185.27 port 80 - mypartnerforever.me - GET /wp-includes/customize/3
- 185.204.219.210 port 80 - euforia-piekna.pl - GET /wp-content/plugins/thumbnail-for-excerpts/1
- 185.204.219.210 port 80 - euforia-piekna.pl - GET /wp-content/plugins/thumbnail-for-excerpts/2
- 185.204.219.210 port 80 - euforia-piekna.pl - GET /wp-content/plugins/thumbnail-for-excerpts/3
- 91.221.36.71 port 443 - diheclerow.ru - HTTPS/SSL/TLS traffic from Zeus Panda Banker
- port 443 - google.com - connectivity check caused by Zeus Panda Banker
FILE HASHES
MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:
- SHA256 hash: 1d63cfe0c0b6c80212aafef737fc63f63415634c74ac3159966f63c31c1a08d4
File size: 226,304 bytes
File name: invoice_276194.doc [any six random digits for the numbers]
File description: Word document with macro for Hancitor
- SHA256 hash: b148c9c73420619ac3efa018261da3f29b5bf86e2b1aded5895cc26dd74dd159
File size: 163,840 bytes
File location: C:\Users\[username]\AppData\Local\[existing directory path]\[random name].exe
File description: Zeus Panda Banker
IMAGES
Shown above: Zeus Panda Banker persistent on an infected Windows host.
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the traffic: 2018-03-07-Hancitor-malspam-infection-traffic.zip 2.2 MB (2,224,049 bytes)
- Zip archive of the emails: 2018-03-07-Hancitor-malspam-26-email-examples.txt.zip 13.5 kB (13,512 bytes)
- Zip archive of the malware: 2018-03-07-Hancitor-infection-artifacts.zip 233 kB (233,430 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.