2018-03-14 - HANCITOR MALSPAM - FAKE INVOICELY NOTICE

ASSOCIATED FILES:

• Zip archive of the traffic:  2018-03-14-Hancitor-malspam-infection-traffic.pcap.zip   418 kB (417,573 bytes)

• 2018-03-14-Hancitor-malspam-infection-traffic.pcap   (648,394 bytes)

• Zip archive of the emails:  2018-03-14-Hancitor-malspam-24-email-examples.txt.zip   5.7 kB (5,676 bytes)

• 2018-03-14-Hancitor-malspam-24-email-examples.txt   (124,519 bytes)

• Zip archive of the malware:  2018-03-14-Hancitor-infection-artifacts.zip   265 kB (264,620 bytes)

• 2018-03-14-Hancitor-maldoc-invoice_353492zip.doc   (279,040 bytes)
• 2018-03-14-Zeus-Panda-Banker.exe   (193,536 bytes)

NOTES:

• As usual, for the 3 follow-up downloads, we're still seeing Pony, Evil Pony (both resident in memory), and Zeus Panda Banker (saved to disk).
• The block list contains additional post-infection URLs originally reported by @James_inthe_box reported on a Pastebin link here.
• My thanks to everyone who keeps an eye on this malspam and reports about it near-real-time on Twitter, and to those who've emailed me directly.

Shown above:  Flow chart for a typical Hancitor malspam infection.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

• argentstrim.com
• budgetsignsplus.com
• mydaily5.com
• mysatya.com
• satyablog.com
• satyastore.com
• subeinc.com
• subeinc.net
• tailormadeduds.com
• duketofrob.com
• rithesforhep.ru
• witlyrenco.ru
• hxxp://completestreetsathens.com/wp-content/plugins/contact-bank/lib/1
• hxxp://completestreetsathens.com/wp-content/plugins/contact-bank/lib/2
• hxxp://completestreetsathens.com/wp-content/plugins/contact-bank/lib/3
• hxxp://ibesthoteldeals.eu/wp-content/plugins/Auto-Tube-Pro/1
• hxxp://ibesthoteldeals.eu/wp-content/plugins/Auto-Tube-Pro/2
• hxxp://ibesthoteldeals.eu/wp-content/plugins/Auto-Tube-Pro/3
• hxxp://onlineprofitscoach.com/wp-content/plugins/social-count-plus/includes/1
• hxxp://onlineprofitscoach.com/wp-content/plugins/social-count-plus/includes/2
• hxxp://onlineprofitscoach.com/wp-content/plugins/social-count-plus/includes/3
• hxxp://streetfoodandtraveltvindia.com/wp-content/themes/twentyfifteen/1
• hxxp://streetfoodandtraveltvindia.com/wp-content/themes/twentyfifteen/2
• hxxp://streetfoodandtraveltvindia.com/wp-content/themes/twentyfifteen/3
• hxxp://winecountryuncorked.com/wp-content/themes/twentythirteen/inc/1
• hxxp://winecountryuncorked.com/wp-content/themes/twentythirteen/inc/2
• hxxp://winecountryuncorked.com/wp-content/themes/twentythirteen/inc/3
• hattalbutla.com

 

EMAILS

Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

• Date/Time:  Wednesday 2018-03-14 as early as 15:02 UTC through at least 18:18 UTC

• Received: from ([12.169.83.217])
• Received: from ([66.215.148.128])
• Received: from feldman-ins.com ([12.35.89.31])
• Received: from feldman-ins.com ([23.30.139.233])
• Received: from feldman-ins.com ([24.220.115.230])
• Received: from feldman-ins.com ([50.234.191.210])
• Received: from feldman-ins.com ([50.240.107.145])
• Received: from feldman-ins.com ([64.185.14.2])
• Received: from feldman-ins.com ([65.29.83.105])
• Received: from feldman-ins.com ([66.193.155.98])
• Received: from feldman-ins.com ([67.21.156.196])
• Received: from feldman-ins.com ([69.92.125.210])
• Received: from feldman-ins.com ([72.24.104.186])
• Received: from feldman-ins.com ([74.84.255.112])
• Received: from feldman-ins.com ([74.142.47.186])
• Received: from feldman-ins.com ([96.86.244.57])
• Received: from feldman-ins.com ([146.115.63.226])
• Received: from feldman-ins.com ([166.177.122.6])
• Received: from feldman-ins.com ([173.164.170.197])
• Received: from feldman-ins.com ([173.209.154.162])
• Received: from feldman-ins.com ([173.219.91.210])
• Received: from feldman-ins.com ([184.188.97.84])
• Received: from feldman-ins.com ([205.182.135.63])
• Received: from feldman-ins.com ([208.253.84.210])

• From: "Invoicely " <invoices@feldman-ins.com>
• From: "Invoicely Inc." <invoices@feldman-ins.com>
• From: "Invoicely Services" <invoices@feldman-ins.com>
• From: "Invoicely ServicesInc." <invoices@feldman-ins.com>

• Subject: Overdue payment notice from Invoicely
• Subject: Overdue payment notification from Invoicely
• Subject: Past due payment notice from Invoicely
• Subject: Past due payment notification from Invoicely
• Subject: Past-due payment notice from Invoicely
• Subject: Past-due payment notification from Invoicely

 

Shown above:  Malicious Word document downloaded from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

LINKS IN THE EMAILS FOR THE WORD DOCUMENT:

• hxxp://argentstrim.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://budgetsignsplus.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://mydaily5.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://mysatya.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://satyablog.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://satyastore.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://subeinc.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://subeinc.net?[string of characters]=[encoded string representing recipient's email address]
• hxxp://tailormadeduds.com?[string of characters]=[encoded string representing recipient's email address]

NETWORK TRAFFIC FROM AN INFECTED LAB HOST:

• 35.204.226.52 port 80 - budgetsignsplus.com - GET /?[string of characters]=[encoded string representing recipient's email address]
• port 80 - api.ipify.org - GET /
• 46.173.213.228 port 80 - duketofrob.com - POST /ls5/forum.php
• 46.173.213.228 port 80 - duketofrob.com - POST /mlu/forum.php
• 46.173.213.228 port 80 - duketofrob.com - POST /d2/about.php
• 103.93.16.147 port 80 - streetfoodandtraveltvindia.com - GET /wp-content/themes/twentyfifteen/1
• 103.93.16.147 port 80 - streetfoodandtraveltvindia.com - GET /wp-content/themes/twentyfifteen/2
• 103.93.16.147 port 80 - streetfoodandtraveltvindia.com - GET /wp-content/themes/twentyfifteen/3
• 178.170.244.36 port 443 - hattalbutla.com - HTTPS/SSL/TLS traffic from Zeus Panda Banker

 

FILE HASHES

MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:

• SHA256 hash:  af290434ffa9a677133952b2d2622eabd7b274f545fc662f31dcfa0164d9f9de
  File size:  279,040 bytes
  File name:  invoice_353492.doc [any six random digits for the numbers]
  File description:  Word document with macro for Hancitor

• SHA256 hash:  5782c7ade207fd4415c35bd1e98bad7c3fcaef206fa60f142b8d1062e7103670
  File size:  193,536 bytes
  File location:  C:\Users\[username]\AppData\Local\[existing directory path]\[random name].exe
  File description:  Zeus Panda Banker

Shown above:  Zeus Panda Banker persistent on the infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the traffic:  2018-03-14-Hancitor-malspam-infection-traffic.pcap.zip   418 kB (417,573 bytes)
• Zip archive of the emails:  2018-03-14-Hancitor-malspam-24-email-examples.txt.zip   5.7 kB (5,676 bytes)
• Zip archive of the malware:  2018-03-14-Hancitor-infection-artifacts.zip   265 kB (264,620 bytes)

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.