2018-05-03 - HANCITOR MALSPAM - FAKE VEMNO NOTIFICATIONS

ASSOCIATED FILES:

• Zip archive of the traffic:  2018-05-03-Hancitor-malspam-infection-traffic.pcap.zip   2.2 MB (2,207,172 bytes)

• 2018-05-03-Hancitor-malspam-infection-traffic.pcap   (2,546,485 bytes)

• Zip archive of the emails:  2018-05-03-Hancitor-malspam-60-email-examples.txt.zip   10.9 kB (10,871 bytes)

• 2018-05-03-Hancitor-malspam-60-email-examples.txt   (232,606 bytes)

• Zip archive of the malware:  2018-05-03-Hancitor-infection-artifacts.zip   232 kB (232,405 bytes)

• 2018-05-03-Word-doc-with-macro-for-Hancitor.doc   (188,928 bytes)
• 2018-05-03-Zeus-Panda-Banker-from-Hancitor-infection.exe   (177,152 bytes)

NOTES:

• The block list contains additional info first reported in the VirusBay entry for the associated Word document.
• As always, my thanks to everyone who keeps an eye on this malspam and reports about it near-real-time on Twitter.

Shown above:  Flow chart for a typical Hancitor malspam infection.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

• beachesofnwflorida.com
• coastalrealtycsb.com
• coastalrealtypsj.com
• costaljoe.com
• csbbeachrentals.com
• floridasbestescape.com
• gocoastalflorida.com
• isdgcom.net
• sgiflbeachhomes.com
• sgirentalhomes.com
• stgeorgeislandbeachhomes.com
• visitcsb.com
• tanreblingtold.com
• hedningdolac.ru
• atlerando.ru
• hxxp://yakshin.ru/wp-content/themes/omega/lib/1
• hxxp://yakshin.ru/wp-content/themes/omega/lib/2
• hxxp://yakshin.ru/wp-content/themes/omega/lib/3
• hxxp://jeffreytobin.com/wp-content/plugins/options-framework/includes/1
• hxxp://jeffreytobin.com/wp-content/plugins/options-framework/includes/2
• hxxp://jeffreytobin.com/wp-content/plugins/options-framework/includes/3
• hxxp://newstotalk.com/wp-content/themes/wp-genius/1
• hxxp://newstotalk.com/wp-content/themes/wp-genius/2
• hxxp://newstotalk.com/wp-content/themes/wp-genius/3
• hxxp://peterjoubert.com/wp-content/themes/twentyeleven/inc/1
• hxxp://peterjoubert.com/wp-content/themes/twentyeleven/inc/2
• hxxp://peterjoubert.com/wp-content/themes/twentyeleven/inc/3
• hxxp://marysherwoodlifestyles.com/wp-content/themes/twentythirteen/inc/1
• hxxp://marysherwoodlifestyles.com/wp-content/themes/twentythirteen/inc/2
• hxxp://marysherwoodlifestyles.com/wp-content/themes/twentythirteen/inc/3
• robwassotdint.ru

 

EMAILS

Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

• Date/Time:  Thursday 2018-05-03 as early as 14:59 UTC through at least 19:28 UTC

• Received: from burroughscompanies.com ([24.12.65.191])
• Received: from burroughscompanies.com ([50.201.223.204])
• Received: from burroughscompanies.com ([50.255.162.73])
• Received: from burroughscompanies.com ([50.77.19.245])
• Received: from burroughscompanies.com ([64.132.127.25])
• Received: from burroughscompanies.com ([67.214.229.146])
• Received: from burroughscompanies.com ([67.79.17.130])
• Received: from burroughscompanies.com ([68.116.68.2])
• Received: from burroughscompanies.com ([68.179.191.49])
• Received: from burroughscompanies.com ([69.170.122.68])
• Received: from burroughscompanies.com ([71.172.32.163])
• Received: from burroughscompanies.com ([73.63.17.35])
• Received: from burroughscompanies.com ([74.93.97.81])
• Received: from burroughscompanies.com ([97.80.48.154])
• Received: from burroughscompanies.com ([192.119.212.206])
• Received: from burroughscompanies.com ([209.23.243.106])
• Received: from burroughscompanies.com ([209.83.63.58])
• Received: from pinoswindow.com ([12.150.239.26])
• Received: from pinoswindow.com ([24.2.107.206])
• Received: from pinoswindow.com ([38.110.219.130])
• Received: from pinoswindow.com ([38.140.190.218])
• Received: from pinoswindow.com ([47.190.52.75])
• Received: from pinoswindow.com ([50.38.131.250])
• Received: from pinoswindow.com ([50.201.134.50])
• Received: from pinoswindow.com ([50.225.140.58])
• Received: from pinoswindow.com ([50.245.13.13])
• Received: from pinoswindow.com ([50.245.219.38])
• Received: from pinoswindow.com ([50.252.134.186])
• Received: from pinoswindow.com ([66.21.114.99])
• Received: from pinoswindow.com ([66.219.240.66])
• Received: from pinoswindow.com ([67.128.146.154])
• Received: from pinoswindow.com ([67.186.172.133])
• Received: from pinoswindow.com ([67.189.153.43])
• Received: from pinoswindow.com ([69.170.122.68])
• Received: from pinoswindow.com ([69.179.140.245])
• Received: from pinoswindow.com ([71.9.44.142])
• Received: from pinoswindow.com ([72.25.166.130])
• Received: from pinoswindow.com ([72.77.1.13])
• Received: from pinoswindow.com ([74.113.59.181])
• Received: from pinoswindow.com ([74.218.8.178])
• Received: from pinoswindow.com ([75.109.213.106])
• Received: from pinoswindow.com ([76.73.158.220])
• Received: from pinoswindow.com ([96.91.170.74])
• Received: from pinoswindow.com ([96.240.18.85])
• Received: from pinoswindow.com ([97.94.30.141])
• Received: from pinoswindow.com ([107.138.228.207])
• Received: from pinoswindow.com ([137.103.121.141])
• Received: from pinoswindow.com ([142.217.200.139])
• Received: from pinoswindow.com ([169.55.251.141])
• Received: from pinoswindow.com ([173.12.239.115])
• Received: from pinoswindow.com ([173.219.61.189])
• Received: from pinoswindow.com ([173.220.58.194])
• Received: from pinoswindow.com ([174.50.253.185])
• Received: from pinoswindow.com ([174.77.236.252])
• Received: from pinoswindow.com ([184.67.195.30])
• Received: from pinoswindow.com ([208.85.181.217])
• Received: from pinoswindow.com ([208.88.67.188])
• Received: from pinoswindow.com ([216.57.209.45])

• From: "Vemno Inc " <vemnoteam@burroughscompanies.com>
• From: "Vemno Inc " <vemnoteam@pinoswindow.com>
• From: "Vemno Inc All Rights Reserved" <vemnoteam@burroughscompanies.com>
• From: "Vemno Inc All Rights Reserved" <vemnoteam@pinoswindow.com>
• From: "Vemno Services " <vemnoteam@burroughscompanies.com>
• From: "Vemno Services " <vemnoteam@pinoswindow.com>
• From: "Vemno Services All Rights Reserved" <vemnoteam@burroughscompanies.com>
• From: "Vemno Services All Rights Reserved" <vemnoteam@pinoswindow.com>

• Subject: Automated Payment Message From Vemno
• Subject: Automated Payment Notice From Vemno
• Subject: Automated Payment Notification From Vemno
• Subject: Automatic Payment Message From Vemno
• Subject: Automatic Payment Notice From Vemno
• Subject: Automatic Payment Notification From Vemno
• Subject: Electronic Payment Message From Vemno
• Subject: Electronic Payment Notice From Vemno
• Subject: Electronic Payment Notification From Vemno

 

Shown above:  Malicious Word document downloaded from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

LINKS IN THE EMAILS TO DOWNLOAD THE WORD DOCUMENT:

• hxxp://beachesofnwflorida.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://coastalrealtycsb.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://coastalrealtypsj.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://costaljoe.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://csbbeachrentals.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://floridasbestescape.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://gocoastalflorida.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://isdgcom.net?[string of characters]=[encoded string representing recipient's email address]
• hxxp://sgiflbeachhomes.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://sgirentalhomes.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://stgeorgeislandbeachhomes.com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://visitcsb.com?[string of characters]=[encoded string representing recipient's email address]

NETWORK TRAFFIC FROM AN INFECTED LAB HOST:

• 35.187.117.14 port 80 - isdgcom.net - GET /?[string of characters]=[encoded string representing recipient's email address]
• port 80 - api.ipify.org - GET /
• 185.43.223.6 port 80 - tanreblingtold.com - POST /4/forum.php
• 185.43.223.6 port 80 - tanreblingtold.com - POST /mlu/about.php
• 185.43.223.6 port 80 - tanreblingtold.com - POST /d2/about.php
• 141.8.192.4 port 80 - yakshin.ru - GET /wp-content/themes/omega/lib/1
• 141.8.192.4 port 80 - yakshin.ru - GET /wp-content/themes/omega/lib/2
• 141.8.192.4 port 80 - yakshin.ru - GET /wp-content/themes/omega/lib/3
• 185.174.175.14 port 443 - robwassotdint.ru - HTTPS/SSL/TLS traffic caused by Zeus Panda Banker
• port 80 - www.google.com - HTTPS/SSL/TLS traffic - probable connectivity check caused by Zeus Panda Banker

 

FILE HASHES

MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:

• SHA256 hash:  fb82fd4534d7c32a3de8523fde2d59b7c26146eae1827c0b4202630e3004c587
  File size:  188,928 bytes
  File name:  invoice_921483.doc [any six random digits for the numbers]
  File description:  Word document with macro for Hancitor

• SHA256 hash:  429a5b8fee9b92d638bb4e27821eedbf9844a828ca9131b18f98b38ef16d6edf
  File size:  177,152 bytes
  File location:  C:\Users\[username]\AppData\Roaming\[existing directory path]\[random name].exe
  File description:  Zeus Panda Banker

Shown above:  Zeus Panda Banker persistent on the infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the traffic:  2018-05-03-Hancitor-malspam-infection-traffic.pcap.zip   2.2 MB (2,207,172 bytes)
• Zip archive of the emails:  2018-05-03-Hancitor-malspam-60-email-examples.txt.zip   10.9 kB (10,871 bytes)
• Zip archive of the malware:  2018-05-03-Hancitor-infection-artifacts.zip   232 kB (232,405 bytes)

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.