2018-05-02 - HANCITOR MALSPAM - FAKE VERIZON NOTIFICATIONS
ASSOCIATED FILES:
- Zip archive of the traffic: 2018-05-02-Hancitor-malspam-infection-traffic.pcap.zip 2.1 MB (2,148,806 bytes)
- 2018-05-02-Hancitor-malspam-infection-traffic.pcap (2,561,158 bytes)
- Zip archive of the emails: 2018-05-02-Hancitor-malspam-50-email-examples.txt.zip 25.8 kB (25,765 bytes)
- 2018-05-02-Hancitor-malspam-50-email-examples.txt (925,184 bytes)
- Zip archive of the malware: 2018-05-02-Hancitor-infection-artifacts.zip 225 kB (224,851 bytes)
- 2018-05-02-Word-doc-with-macro-for-Hancitor.doc (180,224 bytes)
- 2018-05-02-Zeus-Panda-Banker-from-Hancitor-infection.exe (165,376 bytes)
NOTES:
- The block list contains additional info first reported in the VirusBay entry for the associated Word document.
- As always, my thanks to everyone who keeps an eye on this malspam and reports about it near-real-time on Twitter.
Shown above: Flow chart for a typical Hancitor malspam infection.
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domains and URLs:
- countywidememorials.com
- countywidemonuments.com
- kwrn1550am.com
- prescriptionerrorlawyer.com
- ryanandrie.me
- sawgrasspark.com
- sleeplavish.com
- solutionsforsanjose.info
- solutionsforsanjose.net
- youngsvillehousevalues.com
- youngsvilleproperties.com
- hemfeketro.com
- gejohntorsar.ru
- tonstinnotna.ru
- hxxp://fatcowcoupon.us/wp-content/plugins/nofollow-for-external-link/1
- hxxp://fatcowcoupon.us/wp-content/plugins/nofollow-for-external-link/2
- hxxp://fatcowcoupon.us/wp-content/plugins/nofollow-for-external-link/3
- hxxp://alphafinancialservices.net/wp-content/themes/twentyeleven/inc/1
- hxxp://alphafinancialservices.net/wp-content/themes/twentyeleven/inc/2
- hxxp://alphafinancialservices.net/wp-content/themes/twentyeleven/inc/3
- hxxp://buckscountybass.com/wp-content/themes/canvas-bcac/1
- hxxp://buckscountybass.com/wp-content/themes/canvas-bcac/2
- hxxp://buckscountybass.com/wp-content/themes/canvas-bcac/3
- hxxp://mattbennett.ca/wp-content/themes/spark/inc/1
- hxxp://mattbennett.ca/wp-content/themes/spark/inc/2
- hxxp://mattbennett.ca/wp-content/themes/spark/inc/3
- hxxp://hugefrigginarms.com/wp-content/themes/twentyfifteen/1
- hxxp://hugefrigginarms.com/wp-content/themes/twentyfifteen/2
- hxxp://hugefrigginarms.com/wp-content/themes/twentyfifteen/3
- robwassotdint.ru
EMAILS
Shown above: Screenshot from one of the emails.
EMAIL HEADERS:
- Date/Time: Wednesday 2018-05-02 as early as 16:28 UTC through at least 19:10 UTC
- Received: from etiroltec.com ([12.196.128.171])
- Received: from etiroltec.com ([12.226.231.250])
- Received: from etiroltec.com ([24.119.134.126])
- Received: from etiroltec.com ([24.129.150.98])
- Received: from etiroltec.com ([24.197.23.194])
- Received: from etiroltec.com ([50.204.10.90])
- Received: from etiroltec.com ([50.225.140.58])
- Received: from etiroltec.com ([50.241.155.162])
- Received: from etiroltec.com ([50.255.203.185])
- Received: from etiroltec.com ([50.78.213.181])
- Received: from etiroltec.com ([64.25.84.18])
- Received: from etiroltec.com ([67.137.237.74])
- Received: from etiroltec.com ([67.214.229.146])
- Received: from etiroltec.com ([67.214.241.162])
- Received: from etiroltec.com ([67.214.247.194])
- Received: from etiroltec.com ([68.48.199.46])
- Received: from etiroltec.com ([68.112.41.142])
- Received: from etiroltec.com ([69.54.28.220])
- Received: from etiroltec.com ([69.63.173.150])
- Received: from etiroltec.com ([70.62.179.154])
- Received: from etiroltec.com ([71.45.198.186])
- Received: from etiroltec.com ([71.75.116.158])
- Received: from etiroltec.com ([73.154.50.223])
- Received: from etiroltec.com ([74.121.33.54])
- Received: from etiroltec.com ([74.143.250.210])
- Received: from etiroltec.com ([76.124.248.251])
- Received: from etiroltec.com ([76.79.28.114])
- Received: from etiroltec.com ([96.82.248.185])
- Received: from etiroltec.com ([96.82.248.5])
- Received: from etiroltec.com ([96.95.159.33])
- Received: from etiroltec.com ([104.192.201.189])
- Received: from etiroltec.com ([155.99.70.195])
- Received: from etiroltec.com ([162.104.96.249])
- Received: from etiroltec.com ([162.246.139.3])
- Received: from etiroltec.com ([172.89.91.39])
- Received: from etiroltec.com ([173.12.134.65])
- Received: from etiroltec.com ([173.165.126.46])
- Received: from etiroltec.com ([173.210.47.2])
- Received: from etiroltec.com ([173.219.81.251])
- Received: from etiroltec.com ([203.130.24.211])
- Received: from etiroltec.com ([205.169.166.22])
- Received: from etiroltec.com ([207.119.95.83])
- Received: from etiroltec.com ([207.173.159.68])
- Received: from etiroltec.com ([209.23.243.106])
- Received: from etiroltec.com ([213.120.121.78])
- From: "Verizon Services " <verizonwireless@etiroltec.com>
- From: "Verizon Services All rights reserved. " <verizonwireless@etiroltec.com>
- From: "Verizon Inc. " <verizonwireless@etiroltec.com>
- From: "Verizon Inc. All rights reserved. " <verizonwireless@etiroltec.com>
- From: "Verizon Wireless Services " <verizonwireless@etiroltec.com>
- From: "Verizon Wireless Services All rights reserved. " <verizonwireless@etiroltec.com>
- From: "Verizon Wireless Inc. " <verizonwireless@etiroltec.com>
- From: "Verizon Wireless Inc. All rights reserved. " <verizonwireless@etiroltec.com>
- Subject: Here is your mobile bill
- Subject: Here is your mobile invoice
- Subject: Here is your Verizon cellular bill
- Subject: Here is your Verizon cellular invoice
- Subject: Here is your Verizon Wireless bill
- Subject: Here is your Verizon Wireless invoice
- Subject: Your mobile bill
- Subject: Your mobile invoice
- Subject: Your Verizon cellular bill
- Subject: Your Verizon cellular invoice
- Subject: Your Verizon Wireless bill
- Subject: Your Verizon Wireless invoice
Shown above: Malicious Word document downloaded from link in the malspam.
TRAFFIC
Shown above: Traffic from an infection filtered in Wireshark.
LINKS IN THE EMAILS TO DOWNLOAD THE WORD DOCUMENT:
- hxxp://countywidememorials.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://countywidemonuments.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://kwrn1550am.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://prescriptionerrorlawyer.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://ryanandrie.me?[string of characters]=[encoded string representing recipient's email address]
- hxxp://sawgrasspark.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://sleeplavish.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://solutionsforsanjose.info?[string of characters]=[encoded string representing recipient's email address]
- hxxp://solutionsforsanjose.net?[string of characters]=[encoded string representing recipient's email address]
- hxxp://youngsvillehousevalues.com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://youngsvilleproperties.com?[string of characters]=[encoded string representing recipient's email address]
NETWORK TRAFFIC FROM AN INFECTED LAB HOST:
- 35.187.117.14 port 80 - sleeplavish.com - GET /?[string of characters]=[encoded string representing recipient's email address]
- port 80 - api.ipify.org - GET /
- 195.123.213.133 port 80 - hemfeketro.com - POST /4/forum.php
- 195.123.213.133 port 80 - hemfeketro.com - POST /mlu/about.php
- 195.123.213.133 port 80 - hemfeketro.com - POST /d2/about.php
- 69.89.30.142 port 80 - fatcowcoupon.us - GET /wp-content/plugins/nofollow-for-external-link/1
- 69.89.30.142 port 80 - fatcowcoupon.us - GET /wp-content/plugins/nofollow-for-external-link/2
- 69.89.30.142 port 80 - fatcowcoupon.us - GET /wp-content/plugins/nofollow-for-external-link/3
- 185.174.175.14 port 443 - robwassotdint.ru - HTTPS/SSL/TLS traffic caused by Zeus Panda Banker
- port 80 - www.google.com - HTTPS/SSL/TLS traffic - probable connectivity check caused by Zeus Panda Banker
FILE HASHES
MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:
- SHA256 hash: c2097360c006fc3325914406e1b1f0d4857e9a550618ffedc1d0eb0fe8e64777
File size: 180,224 bytes
File name: invoice_484067.doc [any six random digits for the numbers]
File description: Word document with macro for Hancitor
- SHA256 hash: b16c6a67e3629c27092661cec1d7643afc8d83f7902a8fcfb6691f310b95fbcb
File size: 165,376 bytes
File location: C:\Users\[username]\AppData\Roaming\[existing directory path]\[random name].exe
File description: Zeus Panda Banker
Shown above: Zeus Panda Banker persistent on the infected Windows host.
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the traffic: 2018-05-02-Hancitor-malspam-infection-traffic.pcap.zip 2.1 MB (2,148,806 bytes)
- Zip archive of the emails: 2018-05-02-Hancitor-malspam-50-email-examples.txt.zip 25.8 kB (25,765 bytes)
- Zip archive of the malware: 2018-05-02-Hancitor-infection-artifacts.zip 225 kB (224,851 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.