2019-01-16 - HANCITOR MALSPAM WITH PAYPAL THEME

ASSOCIATED FILES:

• Email examples:  2019-01-16-Hancitor-malspam-47-email-examples.zip   161 kB (161,434 bytes)

• 47 .eml files ranging from 16,891 to 17120 bytes

• Traffic:  2019-01-16-Hancitor-infection-traffic-with-Ursnif.pcap.zip   405 kB (405,401 bytes)

• 2019-01-16-Hancitor-infection-traffic-with-Ursnif.pcap   (767,878 bytes)

• Malware:  2019-01-16-malware-from-Hancitor-infected-host.zip   275 kB (275,385 bytes)

• 2019-01-16-Hancitor-binary-retrieved-by-Excel-macro.exe   (94210 bytes)
• 2019-01-16-Ursnif-retrieved-by-Hancitor-infected-host.exe   (236,032 bytes)
• 2019-01-16-downloaded-Excel-speadsheet-with-macro-for-Hancitor.xls   (274,432 bytes)

NOTES:

• Today's blog includes indicators already tweeted/posted by @mesa_matt (link to tweet).
• As always, my thanks to everyone who keeps an eye on this malspam, reports about it near-real-time on Twitter, and helps me get copies of the malspam to share.

Shown above:  Flow chart for recent Hancitor malspam infections.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

• 800lasallepark[.]ca
• 800lasallepark[.]com
• auctionhauz[.]ca
• gsgroupco[.]ca
• guildwoodcondos[.]com
• lasalleparkliving[.]ca
• lasalleparkliving[.]com
• lasalleparkresidences[.]com
• ockickfit[.]com
• reserveithome[.]com
• rezerevit[.]com
• ledbabdintot[.]com
• ofheptonsfi[.]ru
• netedingof[.]ru
• hxxp://jenrobin[.]com/wp-content/plugins/mailchimp-for-wp/1
• hxxp://jenrobin[.]com/wp-content/plugins/mailchimp-for-wp/2
• hxxp://jenrobin[.]com/wp-content/plugins/mailchimp-for-wp/3
• hxxp://kevinalves[.]com/wp-content/plugins/w3-total-cache/inc/1
• hxxp://kevinalves[.]com/wp-content/plugins/w3-total-cache/inc/2
• hxxp://kevinalves[.]com/wp-content/plugins/w3-total-cache/inc/3
• hxxp://emilyhendrie[.]com/wp-content/plugins/jetpack/modules/1
• hxxp://emilyhendrie[.]com/wp-content/plugins/jetpack/modules/2
• hxxp://emilyhendrie[.]com/wp-content/plugins/jetpack/modules/3
• hxxp://salshakenwrap[.]com/wp-content/plugins/mailchimp/lib/1
• hxxp://salshakenwrap[.]com/wp-content/plugins/mailchimp/lib/2
• hxxp://salshakenwrap[.]com/wp-content/plugins/mailchimp/lib/3
• api.ex100p[.]at
• ax.ikobut[.]at
• beetfeetlife[.]bit
• core.cnboal[.]at
• extra.avareg[.]cn
• f1.cnboal[.]at
• foo.avaregio[.]at
• g2.ex100p[.]at
• in.termas[.]at
• op.basedok[.]at
• pop.muongo[.]at
• sm.dvloop[.]at
• xxx.lapoder[.]at

 

MALSPAM DATA

Shown above:  Screenshot from one of the emails.

 

DATA FROM 47 EMAIL EXAMPLES:

• Date: Wed, 16 Jan 2019 as early as 15:06 UTC through at least 18:43 UTC

• From: "PayPal Inc" <paypal@drfussellsoffice.com>
• From: "PayPal Invoice Service" <paypal@drfussellsoffice.com>
• From: "PayPal Services" <paypal@drfussellsoffice.com>

• Subject: PayPal   Message
• Subject: PayPal  Invoice Message
• Subject: PayPal  Invoice Notice
• Subject: PayPal  Invoice Notification
• Subject: PayPal Automated  Message
• Subject: PayPal Automated  Notice
• Subject: PayPal Automated  Notification
• Subject: PayPal Automated Invoice Message
• Subject: PayPal Automated Invoice Notice
• Subject: PayPal Automated Invoice Notification
• Subject: PayPal Automatic  Message
• Subject: PayPal Automatic  Notice
• Subject: PayPal Automatic  Notification
• Subject: PayPal Automatic Invoice Message
• Subject: PayPal Automatic Invoice Notice
• Subject: PayPal Electronic  Message
• Subject: PayPal Electronic  Notice
• Subject: PayPal Electronic  Notification
• Subject: PayPal Electronic Invoice Notice
• Subject: PayPal Electronic Invoice Notification

• Received: from drfussellsoffice.com ([12.109.16.58])
• Received: from drfussellsoffice.com ([12.45.130.50])
• Received: from drfussellsoffice.com ([139.60.59.98])
• Received: from drfussellsoffice.com ([50.239.76.242])
• Received: from drfussellsoffice.com ([65.157.99.75])
• Received: from drfussellsoffice.com ([70.102.241.100])
• Received: from drfussellsoffice.com ([70.61.145.82])
• Received: from drfussellsoffice.com ([71.14.210.162])
• Received: from drfussellsoffice.com ([72.176.162.206])
• Received: from drfussellsoffice.com ([96.76.95.230])
• Received: from drfussellsoffice.com ([152.179.144.130])
• Received: from drfussellsoffice.com ([173.246.255.76])
• Received: from drfussellsoffice.com ([192.65.138.25])
• Received: from drfussellsoffice.com ([216.130.144.155])
• Received: from drfussellsoffice.com (23-24-96-78-static.hfc.comcastbusiness.net [23.24.96.78])
• Received: from drfussellsoffice.com (24-181-105-27.static.leds.al.charter.com [24.181.105.27])
• Received: from drfussellsoffice.com (50-251-86-105-static.hfc.comcastbusiness.net [50.251.86.105])
• Received: from drfussellsoffice.com (68-188-71-194.static.stls.mo.charter.com [68.188.71.194])
• Received: from drfussellsoffice.com (96-65-154-214-static.hfc.comcastbusiness.net [96.65.154.214])
• Received: from drfussellsoffice.com (96-89-163-241-static.hfc.comcastbusiness.net [96.89.163.241])
• Received: from drfussellsoffice.com (156-019-134-170.static.chtrptr.net [156.19.134.170])
• Received: from drfussellsoffice.com (173-16-153-170.client.mchsi.com [173.16.153.170])
• Received: from drfussellsoffice.com (173-21-25-192.client.mchsi.com [173.21.25.192])
• Received: from drfussellsoffice.com (c-71-235-229-4.hsd1.ct.comcast.net [71.235.229.4])
• Received: from drfussellsoffice.com (c-73-132-138-136.hsd1.dc.comcast.net [73.132.138.136])
• Received: from drfussellsoffice.com (c-73-132-204-156.hsd1.dc.comcast.net [73.132.204.156])
• Received: from drfussellsoffice.com (cblmdm170-253-139-175.maxxsouthbb.net [170.253.139.175])
• Received: from drfussellsoffice.com (cpe-70-119-253-232.tx.res.rr.com [70.119.253.232])
• Received: from drfussellsoffice.com (cpe-74-72-138-117.nyc.res.rr.com [74.72.138.117])
• Received: from drfussellsoffice.com (dsl-066-037-088-090.citizip.com [66.37.88.90])
• Received: from drfussellsoffice.com (hb.scu-mobile.org [12.150.236.34])
• Received: from drfussellsoffice.com (rrcs-24-97-103-170.nys.biz.rr.com [24.97.103.170])
• Received: from drfussellsoffice.com (rrcs-70-63-229-90.midsouth.biz.rr.com [70.63.229.90])
• Received: from drfussellsoffice.com (rrcs-147-0-240-146.central.biz.rr.com [147.0.240.146])
• Received: from drfussellsoffice.com (rrcs-208-125-2-58.nyc.biz.rr.com [208.125.2.58])
• Received: from drfussellsoffice.com (static-72-68-134-154.nycmny.fios.verizon.net [72.68.134.154])
• Received: from drfussellsoffice.com (static-100-2-196-21.nycmny.fios.verizon.net [100.2.196.21])
• Received: from drfussellsoffice.com (static-100-38-139-34.nycmny.fios.verizon.net [100.38.139.34])
• Received: from drfussellsoffice.com (static-198-211-150-226.earthlinkbusiness.net [198.211.150.226])
• Received: from drfussellsoffice.com (wsip-70-182-4-198.lf.br.cox.net [70.182.4.198])

 

Shown above:  Malicious Word document downloaded from link in the malspam.

 

TRAFFIC

LINKS IN THE EMAILS TO DOWNLOAD THE WORD DOCUMENT:

• hxxp://800lasallepark[.]ca?[string of characters]=[encoded string representing recipient's email address]
• hxxp://800lasallepark[.]com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://auctionhauz[.]ca?[string of characters]=[encoded string representing recipient's email address]
• hxxp://gsgroupco[.]ca?[string of characters]=[encoded string representing recipient's email address]
• hxxp://guildwoodcondos[.]com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://lasalleparkliving[.]ca?[string of characters]=[encoded string representing recipient's email address]
• hxxp://lasalleparkliving[.]com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://lasalleparkresidences[.]com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://ockickfit[.]com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://reserveithome[.]com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://rezerevit[.]com?[string of characters]=[encoded string representing recipient's email address]

 

Shown above:  HTTP traffic from today's infection filtered in Wireshark.

 

Shown above:  DNS traffic from today's infection filtered in Wireshark.

 

INITIAL HANCITOR INFECTION TRAFFIC:

• 47.74.2[.]183 port 80 - auctionhauz[.]ca - GET /?[string of characters]=[encoded string representing recipient's email address]
• port 80 - api.ipify.org - GET /
• 77.72.134[.]167 port 80 - ledbabdintot[.]com - POST /4/forum.php
• 77.72.134[.]167 port 80 - ledbabdintot[.]com - POST /mlu/about.php
• 77.72.134[.]167 port 80 - ledbabdintot[.]com - POST /d2/about.php
• 192.254.225[.]163 port 80 - jenrobin[.]com - GET /wp-content/plugins/mailchimp-for-wp/1
• 192.254.225[.]163 port 80 - jenrobin[.]com - GET /wp-content/plugins/mailchimp-for-wp/2
• 192.254.225[.]163 port 80 - jenrobin[.]com - GET /wp-content/plugins/mailchimp-for-wp/3
• 192.232.218[.]126 port 80 - kevinalves[.]com - GET /wp-content/plugins/w3-total-cache/inc/1
• 192.232.218[.]126 port 80 - kevinalves[.]com - GET /wp-content/plugins/w3-total-cache/inc/2
• 192.232.218[.]126 port 80 - kevinalves[.]com - GET /wp-content/plugins/w3-total-cache/inc/3
• 192.254.234[.]16 port 80 - emilyhendrie[.]com - GET /wp-content/plugins/jetpack/modules/1
• 192.254.234[.]16 port 80 - emilyhendrie[.]com - GET /wp-content/plugins/jetpack/modules/2
• 192.254.234[.]16 port 80 - emilyhendrie[.]com - GET /wp-content/plugins/jetpack/modules/3
• 50.87.146[.]83 port 80 - salshakenwrap[.]com - GET /wp-content/plugins/mailchimp/lib/1
• 50.87.146[.]83 port 80 - salshakenwrap[.]com - GET /wp-content/plugins/mailchimp/lib/2
• 50.87.146[.]83 port 80 - salshakenwrap[.]com - GET /wp-content/plugins/mailchimp/lib/3

URSNIF POST-INFECTION HTTP TRAFFIC:

• 185.176.26[.]66 port 80 - g2.ex100p[.]at - GET /webstore/[long string of characters]
• 185.176.26[.]66 port 80 - beetfeetlife[.]bit - GET /webstore/[long string of characters]

URSNIF POST-INFECTION DNS TRAFFIC:

• 5.189.170[.]196 port 53 (UDP) - DNS queries for Ursnif domains
• 68.183.70[.]217 port 53 (UDP) - DNS queries for Ursnif domains
• 82.196.9[.]45 port 53 (UDP) - DNS queries for Ursnif domains
• 94.247.43[.]254 port 53 (UDP) - DNS queries for Ursnif domains
• 150.249.149[.]222 port 53 (UDP) - DNS queries for Ursnif domains
• 151.80.222[.]79 port 53 (UDP) - DNS queries for Ursnif domains
• 158.69.160[.]164 port 53 (UDP) - DNS queries for Ursnif domains
• 159.89.249[.]249 port 53 (UDP) - DNS queries for Ursnif domains
• 178.17.170[.]179 port 53 (UDP) - DNS queries for Ursnif domains
• 188.165.200[.]156 port 53 (UDP) - DNS queries for Ursnif domains
• 192.71.245[.]208 port 53 (UDP) - DNS queries for Ursnif domains
• 207.148.83[.]241 port 53 (UDP) - DNS queries for Ursnif domains
• 217.144.132[.]148 port 53 (UDP) - DNS queries for Ursnif domains
• 217.144.135[.]7 port 53 (UDP) - DNS queries for Ursnif domains

URSNIF DOMAINS IN THE DNS QUERIES:

• api.ex100p[.]at
• ax.ikobut[.]at
• beetfeetlife[.]bit
• core.cnboal[.]at
• extra.avareg[.]cn
• f1.cnboal[.]at
• foo.avaregio[.]at
• g2.ex100p[.]at
• in.termas[.]at
• op.basedok[.]at
• pop.muongo[.]at
• sm.dvloop[.]at
• xxx.lapoder[.]at

 

FILE HASHES

MALWARE RETRIEVED FROM MY INFECTED WINDOWS HOST:

• SHA256 hash:  b5818529e226a30591eb4cddee881538f19509dd139e099bb056d8e8ce5ac055
  File size:  274,432 bytes
  File name:  invoice_947531.xls   (random numbers in the file name)
  File description:  Excel spreadsheet downloaded from a link in Hancitor malspam.  Has macro to cause Hancitor infection.

• SHA256 hash:  1199b24d407ccdddf83fafaf8d63e971edaafded99214bee6b2ad4906729e4d7
  File size:  94,210 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp\6fsdFfa.com
  File location:  C:\Users\[username]\AppData\Local\Temp\6.pif
  File description:  Hancitor malware binary caused by macro in downloaded Excel spreadsheet

• SHA256 hash:  d31f2993ec21c24064ce1f2987e10bfe271103880777b476c0d1812423c1c4b0
  File size:  236,032 bytes
  File location:  C:\Users\[username]AppData\Local\Temp\BNCD5C.tmp   (random hex characters in file name)
  File description:  Ursnif on 2019-01-16 retreived by Hancitor-infected host

 

FINAL NOTES

Once again, here are the associated files:

• Email examples:  2019-01-16-Hancitor-malspam-47-email-examples.zip   161 kB (161,434 bytes)
• Traffic:  2019-01-16-Hancitor-infection-traffic-with-Ursnif.pcap.zip   405 kB (405,401 bytes)
• Malware:  2019-01-16-malware-from-Hancitor-infected-host.zip   275 kB (275,385 bytes)

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.