2018-04-18 - HANCITOR MALSPAM - FAKE IRS NOTIFICATIONS

ASSOCIATED FILES:

• Zip archive of the traffic:  2018-04-18-Hancitor-malspam-infection-traffic.pcap.zip   366 kB (365,898 bytes)

• 2018-04-18-Hancitor-malspam-infection-traffic.pcap   (576,073 bytes)

• Zip archive of the emails:  2018-04-18-Hancitor-malspam-27-email-examples.txt.zip   8.3 kB (8,324 bytes)

• 2018-04-18-Hancitor-malspam-27-email-examples.txt   (152,024 bytes)

• Zip archive of the malware:  2018-04-18-Hancitor-infection-artifacts.zip   229 kB (228,646 bytes)

• 2018-04-18-Word-doc-with-macro-for-Hancitor.doc   (259,072 bytes)
• 2018-04-18-Zeus-Panda-Banker-sample.exe   (185,344 bytes)

NOTES:

• The block list contains additional info originally reported by @James_inthe_box and @Techhelplistcom.
• As always, my thanks to everyone who keeps an eye on this malspam and reports about it near-real-time on Twitter.

Shown above:  Flow chart for a typical Hancitor malspam infection.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

• applyingtechnologyforsolutions.com
• bidsharp.net
• bidtraxx.net
• bieauviva.com
• citrobug.com
• contractorsauction.net
• div9.online
• finishtrades.org
• finishtradesmag.com
• fleamarketcologne.com
• fleamarketperfume.com
• graybirchcandle.com
• knockoffcolognes.com
• knockoffperfumes.com
• meh41.com
• paintestimatingclass.com
• paintestimatingcourse.com
• pro-lifeaction.org
• ettoldketru.com
• sacetothad.ru
• herstantosu.ru
• hxxp://bestbodyrace.com/wp-content/plugins/evonapluginconfig/1
• hxxp://bestbodyrace.com/wp-content/plugins/evonapluginconfig/2
• hxxp://bestbodyrace.com/wp-content/plugins/evonapluginconfig/3
• hxxp://itsonlyem.com/1
• hxxp://itsonlyem.com/2
• hxxp://itsonlyem.com/3
• hxxp://agor-engineering.com/wp-content/plugins/really-simple-captcha/1
• hxxp://agor-engineering.com/wp-content/plugins/really-simple-captcha/2
• hxxp://agor-engineering.com/wp-content/plugins/really-simple-captcha/3
• hxxp://australiancollectablesfair.com/wp-content/plugins/wordpress-importer/1
• hxxp://australiancollectablesfair.com/wp-content/plugins/wordpress-importer/2
• hxxp://australiancollectablesfair.com/wp-content/plugins/wordpress-importer/3
• hxxp://grosirmebelmurah.com/wp-content/plugins/alexa-intsdernet/1
• hxxp://grosirmebelmurah.com/wp-content/plugins/alexa-intsdernet/2
• hxxp://grosirmebelmurah.com/wp-content/plugins/alexa-intsdernet/3
• lyrintedba.com
• reundlaboi.ru

 

EMAILS

Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

• Date/Time:  Wednesday 2018-04-18 as early as 15:07 UTC through at least 17:56 UTC

• Received: from birchconnect.com ([12.162.128.222])
• Received: from birchconnect.com ([50.247.178.228])
• Received: from birchconnect.com ([50.249.244.57])
• Received: from birchconnect.com ([63.142.59.182])
• Received: from birchconnect.com ([69.128.215.202])
• Received: from birchconnect.com ([98.118.62.186])
• Received: from birchconnect.com ([142.160.83.229])
• Received: from birchconnect.com ([173.61.176.114])
• Received: from birchconnect.com ([174.229.129.82])
• Received: from birchconnect.com ([184.167.148.255])
• Received: from birchconnect.com ([208.118.138.224])
• Received: from birchconnect.com ([216.196.229.166])
• Received: from lawrencetractor.com ([50.78.130.206])
• Received: from lawrencetractor.com ([50.241.109.25])
• Received: from lawrencetractor.com ([73.34.196.197])
• Received: from lawrencetractor.com ([73.204.111.182])
• Received: from lawrencetractor.com ([108.46.196.93])
• Received: from lawrencetractor.com ([173.183.213.54])
• Received: from lawrencetractor.com ([173.25.234.93])
• Received: from shorebrook.com ([12.220.10.98])
• Received: from shorebrook.com ([24.245.109.158])
• Received: from shorebrook.com ([50.201.134.50])
• Received: from shorebrook.com ([74.208.185.164])
• Received: from shorebrook.com ([96.95.178.9])
• Received: from shorebrook.com ([98.21.120.166])
• Received: from shorebrook.com ([204.186.244.210])
• Received: from shorebrook.com ([216.196.229.166])

• From: "Internal Revenue Service" <irs@birchconnect.com>
• From: "Internal Revenue Service" <rs@shorebrook.com>
• From: "IRS" <irs@birchconnect.com>
• From: "IRS" <irs@lawrencetractor.com>
• From: "IRS" <rs@shorebrook.com>

• Subject: Internal Revenue Service
• Subject: Internal Revenue Service Final Notice
• Subject: Internal Revenue Service Important Notice
• Subject: Internal Revenue Service Important Notification
• Subject: Internal Revenue Service Notice to the Taxpayer
• Subject: Internal Revenue Service Notification
• Subject: Internal Revenue Service Taxpayer Notice
• Subject: Internal Revenue Service Taxpayer Notification
• Subject: IRS
• Subject: IRS Important Notice
• Subject: IRS Important Notification
• Subject: IRS Notice
• Subject: IRS Notice of intent to levy
• Subject: IRS Notice to the Taxpayer
• Subject: IRS Taxpayer Notice
• Subject: IRS Taxpayer Notification

 

Shown above:  Malicious Word document downloaded from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

Shown above:  DNS query and failed connection attempt for the Zeus Panda Banker traffic.

 

LINKS IN THE EMAILS TO DOWNLOAD THE WORD DOCUMENT:

• hxxp://applyingtechnologyforsolutions.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://bidsharp.net?[string of characters]=[encoded string representing recipient's email address]
• hxxp://bidtraxx.net?[string of characters]=[encoded string representing recipient's email address]
• hxxp://citrobug.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://contractorsauction.net?[string of characters]=[encoded string representing recipient's email address]
• hxxp://div9.online?[string of characters]=[encoded string representing recipient's email address]
• hxxp://finishtrades.org?[string of characters]=[encoded string representing recipient's email address]
• hxxp://fleamarketcologne.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://fleamarketperfume.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://graybirchcandle.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://knockoffcolognes.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://knockoffperfumes.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://meh41.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://paintestimatingclass.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://paintestimatingcourse.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://pro-lifeaction.org?[string of characters]=[encoded string representing recipient's email address]

NETWORK TRAFFIC FROM AN INFECTED LAB HOST:

• 35.204.196.178 port 80 - citrobug.com - GET /?[string of characters]=[encoded string representing recipient's email address]
• port 80 - api.ipify.org - GET /
• 185.43.223.6 port 80 - ettoldketru.com - POST /4/forum.php
• 185.43.223.6 port 80 - ettoldketru.com - POST /mlu/about.php
• 185.43.223.6 port 80 - ettoldketru.com - POST /d2/about.php
• 192.254.234.151 port 80 - image-a.com - GET /wp-content/plugins/easy-media-gallery/includes/1
• 192.254.234.151 port 80 - image-a.com - GET /wp-content/plugins/easy-media-gallery/includes/4
• 192.254.234.151 port 80 - image-a.com - GET /wp-content/plugins/easy-media-gallery/includes/5
• 198.105.244.228 port 443 - lyrintedba.com - attempted TCP connections but RST from server
• 198.105.254.228 port 443 - lyrintedba.com - attempted TCP connections but RST from server
• 198.105.244.228 port 443 - reundlaboi.ru - attempted TCP connections but RST from server
• 198.105.254.228 port 443 - reundlaboi.ru - attempted TCP connections but RST from server

 

FILE HASHES

MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:

• SHA256 hash:  006f7fd56fa89fa576fa95221bdf16422d66787ca366e57816ff6d8a957d7de5
  File size:  259,072 bytes
  File name:  invoice_314728.doc [any six random digits for the numbers]
  File description:  Word document with macro for Hancitor

• SHA256 hash:  86d9910ae4314d3ac4f9544aa84db11786c2843ace598cf88dc51eaf806e6b54
  File size:  185,344 bytes
  File location:  C:\Users\[username]\AppData\Local\[existing directory path]\[random name].exe
  File description:  Zeus Panda Banker

Shown above:  Zeus Panda Banker persistent on the infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the traffic:  2018-04-18-Hancitor-malspam-infection-traffic.pcap.zip   366 kB (365,898 bytes)
• Zip archive of the emails:  2018-04-18-Hancitor-malspam-27-email-examples.txt.zip   8.3 kB (8,324 bytes)
• Zip archive of the malware:  2018-04-18-Hancitor-infection-artifacts.zip   229 kB (228,646 bytes)

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.