2018-05-02 - HANCITOR MALSPAM - FAKE VERIZON NOTIFICATIONS

ASSOCIATED FILES:

• Zip archive of the traffic:  2018-05-02-Hancitor-malspam-infection-traffic.pcap.zip   2.1 MB (2,148,806 bytes)

• 2018-05-02-Hancitor-malspam-infection-traffic.pcap   (2,561,158 bytes)

• Zip archive of the emails:  2018-05-02-Hancitor-malspam-50-email-examples.txt.zip   25.8 kB (25,765 bytes)

• 2018-05-02-Hancitor-malspam-50-email-examples.txt   (925,184 bytes)

• Zip archive of the malware:  2018-05-02-Hancitor-infection-artifacts.zip   225 kB (224,851 bytes)

• 2018-05-02-Word-doc-with-macro-for-Hancitor.doc   (180,224 bytes)
• 2018-05-02-Zeus-Panda-Banker-from-Hancitor-infection.exe   (165,376 bytes)

NOTES:

• The block list contains additional info first reported in the VirusBay entry for the associated Word document.
• As always, my thanks to everyone who keeps an eye on this malspam and reports about it near-real-time on Twitter.

Shown above:  Flow chart for a typical Hancitor malspam infection.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

• countywidememorials.com
• countywidemonuments.com
• kwrn1550am.com
• prescriptionerrorlawyer.com
• ryanandrie.me
• sawgrasspark.com
• sleeplavish.com
• solutionsforsanjose.info
• solutionsforsanjose.net
• youngsvillehousevalues.com
• youngsvilleproperties.com
• hemfeketro.com
• gejohntorsar.ru
• tonstinnotna.ru
• hxxp://fatcowcoupon.us/wp-content/plugins/nofollow-for-external-link/1
• hxxp://fatcowcoupon.us/wp-content/plugins/nofollow-for-external-link/2
• hxxp://fatcowcoupon.us/wp-content/plugins/nofollow-for-external-link/3
• hxxp://alphafinancialservices.net/wp-content/themes/twentyeleven/inc/1
• hxxp://alphafinancialservices.net/wp-content/themes/twentyeleven/inc/2
• hxxp://alphafinancialservices.net/wp-content/themes/twentyeleven/inc/3
• hxxp://buckscountybass.com/wp-content/themes/canvas-bcac/1
• hxxp://buckscountybass.com/wp-content/themes/canvas-bcac/2
• hxxp://buckscountybass.com/wp-content/themes/canvas-bcac/3
• hxxp://mattbennett.ca/wp-content/themes/spark/inc/1
• hxxp://mattbennett.ca/wp-content/themes/spark/inc/2
• hxxp://mattbennett.ca/wp-content/themes/spark/inc/3
• hxxp://hugefrigginarms.com/wp-content/themes/twentyfifteen/1
• hxxp://hugefrigginarms.com/wp-content/themes/twentyfifteen/2
• hxxp://hugefrigginarms.com/wp-content/themes/twentyfifteen/3
• robwassotdint.ru

 

EMAILS

Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

• Date/Time:  Wednesday 2018-05-02 as early as 16:28 UTC through at least 19:10 UTC

• Received: from etiroltec.com ([12.196.128.171])
• Received: from etiroltec.com ([12.226.231.250])
• Received: from etiroltec.com ([24.119.134.126])
• Received: from etiroltec.com ([24.129.150.98])
• Received: from etiroltec.com ([24.197.23.194])
• Received: from etiroltec.com ([50.204.10.90])
• Received: from etiroltec.com ([50.225.140.58])
• Received: from etiroltec.com ([50.241.155.162])
• Received: from etiroltec.com ([50.255.203.185])
• Received: from etiroltec.com ([50.78.213.181])
• Received: from etiroltec.com ([64.25.84.18])
• Received: from etiroltec.com ([67.137.237.74])
• Received: from etiroltec.com ([67.214.229.146])
• Received: from etiroltec.com ([67.214.241.162])
• Received: from etiroltec.com ([67.214.247.194])
• Received: from etiroltec.com ([68.48.199.46])
• Received: from etiroltec.com ([68.112.41.142])
• Received: from etiroltec.com ([69.54.28.220])
• Received: from etiroltec.com ([69.63.173.150])
• Received: from etiroltec.com ([70.62.179.154])
• Received: from etiroltec.com ([71.45.198.186])
• Received: from etiroltec.com ([71.75.116.158])
• Received: from etiroltec.com ([73.154.50.223])
• Received: from etiroltec.com ([74.121.33.54])
• Received: from etiroltec.com ([74.143.250.210])
• Received: from etiroltec.com ([76.124.248.251])
• Received: from etiroltec.com ([76.79.28.114])
• Received: from etiroltec.com ([96.82.248.185])
• Received: from etiroltec.com ([96.82.248.5])
• Received: from etiroltec.com ([96.95.159.33])
• Received: from etiroltec.com ([104.192.201.189])
• Received: from etiroltec.com ([155.99.70.195])
• Received: from etiroltec.com ([162.104.96.249])
• Received: from etiroltec.com ([162.246.139.3])
• Received: from etiroltec.com ([172.89.91.39])
• Received: from etiroltec.com ([173.12.134.65])
• Received: from etiroltec.com ([173.165.126.46])
• Received: from etiroltec.com ([173.210.47.2])
• Received: from etiroltec.com ([173.219.81.251])
• Received: from etiroltec.com ([203.130.24.211])
• Received: from etiroltec.com ([205.169.166.22])
• Received: from etiroltec.com ([207.119.95.83])
• Received: from etiroltec.com ([207.173.159.68])
• Received: from etiroltec.com ([209.23.243.106])
• Received: from etiroltec.com ([213.120.121.78])

• From: "Verizon  Services " <verizonwireless@etiroltec.com>
• From: "Verizon  Services All rights reserved. " <verizonwireless@etiroltec.com>
• From: "Verizon Inc. " <verizonwireless@etiroltec.com>
• From: "Verizon Inc. All rights reserved. " <verizonwireless@etiroltec.com>
• From: "Verizon Wireless  Services " <verizonwireless@etiroltec.com>
• From: "Verizon Wireless  Services All rights reserved. " <verizonwireless@etiroltec.com>
• From: "Verizon Wireless Inc. " <verizonwireless@etiroltec.com>
• From: "Verizon Wireless Inc. All rights reserved. " <verizonwireless@etiroltec.com>

• Subject: Here is your mobile bill
• Subject: Here is your mobile invoice
• Subject: Here is your Verizon cellular bill
• Subject: Here is your Verizon cellular invoice
• Subject: Here is your Verizon Wireless bill
• Subject: Here is your Verizon Wireless invoice
• Subject: Your mobile bill
• Subject: Your mobile invoice
• Subject: Your Verizon cellular bill
• Subject: Your Verizon cellular invoice
• Subject: Your Verizon Wireless bill
• Subject: Your Verizon Wireless invoice

 

Shown above:  Malicious Word document downloaded from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

LINKS IN THE EMAILS TO DOWNLOAD THE WORD DOCUMENT:

• hxxp://countywidememorials.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://countywidemonuments.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://kwrn1550am.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://prescriptionerrorlawyer.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://ryanandrie.me?[string of characters]=[encoded string representing recipient's email address]
• hxxp://sawgrasspark.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://sleeplavish.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://solutionsforsanjose.info?[string of characters]=[encoded string representing recipient's email address]
• hxxp://solutionsforsanjose.net?[string of characters]=[encoded string representing recipient's email address]
• hxxp://youngsvillehousevalues.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://youngsvilleproperties.com?[string of characters]=[encoded string representing recipient's email address]

NETWORK TRAFFIC FROM AN INFECTED LAB HOST:

• 35.187.117.14 port 80 - sleeplavish.com - GET /?[string of characters]=[encoded string representing recipient's email address]
• port 80 - api.ipify.org - GET /
• 195.123.213.133 port 80 - hemfeketro.com - POST /4/forum.php
• 195.123.213.133 port 80 - hemfeketro.com - POST /mlu/about.php
• 195.123.213.133 port 80 - hemfeketro.com - POST /d2/about.php
• 69.89.30.142 port 80 - fatcowcoupon.us - GET /wp-content/plugins/nofollow-for-external-link/1
• 69.89.30.142 port 80 - fatcowcoupon.us - GET /wp-content/plugins/nofollow-for-external-link/2
• 69.89.30.142 port 80 - fatcowcoupon.us - GET /wp-content/plugins/nofollow-for-external-link/3
• 185.174.175.14 port 443 - robwassotdint.ru - HTTPS/SSL/TLS traffic caused by Zeus Panda Banker
• port 80 - www.google.com - HTTPS/SSL/TLS traffic - probable connectivity check caused by Zeus Panda Banker

 

FILE HASHES

MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:

• SHA256 hash:  c2097360c006fc3325914406e1b1f0d4857e9a550618ffedc1d0eb0fe8e64777
  File size:  180,224 bytes
  File name:  invoice_484067.doc [any six random digits for the numbers]
  File description:  Word document with macro for Hancitor

• SHA256 hash:  b16c6a67e3629c27092661cec1d7643afc8d83f7902a8fcfb6691f310b95fbcb
  File size:  165,376 bytes
  File location:  C:\Users\[username]\AppData\Roaming\[existing directory path]\[random name].exe
  File description:  Zeus Panda Banker

Shown above:  Zeus Panda Banker persistent on the infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the traffic:  2018-05-02-Hancitor-malspam-infection-traffic.pcap.zip   2.1 MB (2,148,806 bytes)
• Zip archive of the emails:  2018-05-02-Hancitor-malspam-50-email-examples.txt.zip   25.8 kB (25,765 bytes)
• Zip archive of the malware:  2018-05-02-Hancitor-infection-artifacts.zip   225 kB (224,851 bytes)

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.