2018-04-18 - HANCITOR MALSPAM - FAKE IRS NOTIFICATIONS
ASSOCIATED FILES:
- Zip archive of the traffic: 2018-04-18-Hancitor-malspam-infection-traffic.pcap.zip 366 kB (365,898 bytes)
- 2018-04-18-Hancitor-malspam-infection-traffic.pcap (576,073 bytes)
- Zip archive of the emails: 2018-04-18-Hancitor-malspam-27-email-examples.txt.zip 8.3 kB (8,324 bytes)
- 2018-04-18-Hancitor-malspam-27-email-examples.txt (152,024 bytes)
- Zip archive of the malware: 2018-04-18-Hancitor-infection-artifacts.zip 229 kB (228,646 bytes)
- 2018-04-18-Word-doc-with-macro-for-Hancitor.doc (259,072 bytes)
- 2018-04-18-Zeus-Panda-Banker-sample.exe (185,344 bytes)
NOTES:
- The block list contains additional info originally reported by @James_inthe_box and @Techhelplistcom.
- As always, my thanks to everyone who keeps an eye on this malspam and reports about it near-real-time on Twitter.
Shown above: Flow chart for a typical Hancitor malspam infection.
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domains and URLs:
- applyingtechnologyforsolutions.com
- bidsharp.net
- bidtraxx.net
- bieauviva.com
- citrobug.com
- contractorsauction.net
- div9.online
- finishtrades.org
- finishtradesmag.com
- fleamarketcologne.com
- fleamarketperfume.com
- graybirchcandle.com
- knockoffcolognes.com
- knockoffperfumes.com
- meh41.com
- paintestimatingclass.com
- paintestimatingcourse.com
- pro-lifeaction.org
- ettoldketru.com
- sacetothad.ru
- herstantosu.ru
- hxxp://bestbodyrace.com/wp-content/plugins/evonapluginconfig/1
- hxxp://bestbodyrace.com/wp-content/plugins/evonapluginconfig/2
- hxxp://bestbodyrace.com/wp-content/plugins/evonapluginconfig/3
- hxxp://itsonlyem.com/1
- hxxp://itsonlyem.com/2
- hxxp://itsonlyem.com/3
- hxxp://agor-engineering.com/wp-content/plugins/really-simple-captcha/1
- hxxp://agor-engineering.com/wp-content/plugins/really-simple-captcha/2
- hxxp://agor-engineering.com/wp-content/plugins/really-simple-captcha/3
- hxxp://australiancollectablesfair.com/wp-content/plugins/wordpress-importer/1
- hxxp://australiancollectablesfair.com/wp-content/plugins/wordpress-importer/2
- hxxp://australiancollectablesfair.com/wp-content/plugins/wordpress-importer/3
- hxxp://grosirmebelmurah.com/wp-content/plugins/alexa-intsdernet/1
- hxxp://grosirmebelmurah.com/wp-content/plugins/alexa-intsdernet/2
- hxxp://grosirmebelmurah.com/wp-content/plugins/alexa-intsdernet/3
- lyrintedba.com
- reundlaboi.ru
EMAILS
Shown above: Screenshot from one of the emails.
EMAIL HEADERS:
- Date/Time: Wednesday 2018-04-18 as early as 15:07 UTC through at least 17:56 UTC
- Received: from birchconnect.com ([12.162.128.222])
- Received: from birchconnect.com ([50.247.178.228])
- Received: from birchconnect.com ([50.249.244.57])
- Received: from birchconnect.com ([63.142.59.182])
- Received: from birchconnect.com ([69.128.215.202])
- Received: from birchconnect.com ([98.118.62.186])
- Received: from birchconnect.com ([142.160.83.229])
- Received: from birchconnect.com ([173.61.176.114])
- Received: from birchconnect.com ([174.229.129.82])
- Received: from birchconnect.com ([184.167.148.255])
- Received: from birchconnect.com ([208.118.138.224])
- Received: from birchconnect.com ([216.196.229.166])
- Received: from lawrencetractor.com ([50.78.130.206])
- Received: from lawrencetractor.com ([50.241.109.25])
- Received: from lawrencetractor.com ([73.34.196.197])
- Received: from lawrencetractor.com ([73.204.111.182])
- Received: from lawrencetractor.com ([108.46.196.93])
- Received: from lawrencetractor.com ([173.183.213.54])
- Received: from lawrencetractor.com ([173.25.234.93])
- Received: from shorebrook.com ([12.220.10.98])
- Received: from shorebrook.com ([24.245.109.158])
- Received: from shorebrook.com ([50.201.134.50])
- Received: from shorebrook.com ([74.208.185.164])
- Received: from shorebrook.com ([96.95.178.9])
- Received: from shorebrook.com ([98.21.120.166])
- Received: from shorebrook.com ([204.186.244.210])
- Received: from shorebrook.com ([216.196.229.166])
- From: "Internal Revenue Service" <irs@birchconnect.com>
- From: "Internal Revenue Service" <rs@shorebrook.com>
- From: "IRS" <irs@birchconnect.com>
- From: "IRS" <irs@lawrencetractor.com>
- From: "IRS" <rs@shorebrook.com>
- Subject: Internal Revenue Service
- Subject: Internal Revenue Service Final Notice
- Subject: Internal Revenue Service Important Notice
- Subject: Internal Revenue Service Important Notification
- Subject: Internal Revenue Service Notice to the Taxpayer
- Subject: Internal Revenue Service Notification
- Subject: Internal Revenue Service Taxpayer Notice
- Subject: Internal Revenue Service Taxpayer Notification
- Subject: IRS
- Subject: IRS Important Notice
- Subject: IRS Important Notification
- Subject: IRS Notice
- Subject: IRS Notice of intent to levy
- Subject: IRS Notice to the Taxpayer
- Subject: IRS Taxpayer Notice
- Subject: IRS Taxpayer Notification
Shown above: Malicious Word document downloaded from link in the malspam.
TRAFFIC
Shown above: Traffic from an infection filtered in Wireshark.
Shown above: DNS query and failed connection attempt for the Zeus Panda Banker traffic.
LINKS IN THE EMAILS TO DOWNLOAD THE WORD DOCUMENT:
- hxxp://applyingtechnologyforsolutions.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://bidsharp.net?[string of characters]=[encoded string representing recipient's email address]
- hxxp://bidtraxx.net?[string of characters]=[encoded string representing recipient's email address]
- hxxp://citrobug.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://contractorsauction.net?[string of characters]=[encoded string representing recipient's email address]
- hxxp://div9.online?[string of characters]=[encoded string representing recipient's email address]
- hxxp://finishtrades.org?[string of characters]=[encoded string representing recipient's email address]
- hxxp://fleamarketcologne.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://fleamarketperfume.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://graybirchcandle.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://knockoffcolognes.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://knockoffperfumes.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://meh41.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://paintestimatingclass.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://paintestimatingcourse.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://pro-lifeaction.org?[string of characters]=[encoded string representing recipient's email address]
NETWORK TRAFFIC FROM AN INFECTED LAB HOST:
- 35.204.196.178 port 80 - citrobug.com - GET /?[string of characters]=[encoded string representing recipient's email address]
- port 80 - api.ipify.org - GET /
- 185.43.223.6 port 80 - ettoldketru.com - POST /4/forum.php
- 185.43.223.6 port 80 - ettoldketru.com - POST /mlu/about.php
- 185.43.223.6 port 80 - ettoldketru.com - POST /d2/about.php
- 192.254.234.151 port 80 - image-a.com - GET /wp-content/plugins/easy-media-gallery/includes/1
- 192.254.234.151 port 80 - image-a.com - GET /wp-content/plugins/easy-media-gallery/includes/4
- 192.254.234.151 port 80 - image-a.com - GET /wp-content/plugins/easy-media-gallery/includes/5
- 198.105.244.228 port 443 - lyrintedba.com - attempted TCP connections but RST from server
- 198.105.254.228 port 443 - lyrintedba.com - attempted TCP connections but RST from server
- 198.105.244.228 port 443 - reundlaboi.ru - attempted TCP connections but RST from server
- 198.105.254.228 port 443 - reundlaboi.ru - attempted TCP connections but RST from server
FILE HASHES
MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:
- SHA256 hash: 006f7fd56fa89fa576fa95221bdf16422d66787ca366e57816ff6d8a957d7de5
File size: 259,072 bytes
File name: invoice_314728.doc [any six random digits for the numbers]
File description: Word document with macro for Hancitor
- SHA256 hash: 86d9910ae4314d3ac4f9544aa84db11786c2843ace598cf88dc51eaf806e6b54
File size: 185,344 bytes
File location: C:\Users\[username]\AppData\Local\[existing directory path]\[random name].exe
File description: Zeus Panda Banker
Shown above: Zeus Panda Banker persistent on the infected Windows host.
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the traffic: 2018-04-18-Hancitor-malspam-infection-traffic.pcap.zip 366 kB (365,898 bytes)
- Zip archive of the emails: 2018-04-18-Hancitor-malspam-27-email-examples.txt.zip 8.3 kB (8,324 bytes)
- Zip archive of the malware: 2018-04-18-Hancitor-infection-artifacts.zip 229 kB (228,646 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.