2019-01-16 - HANCITOR MALSPAM WITH PAYPAL THEME
ASSOCIATED FILES:
- Email examples: 2019-01-16-Hancitor-malspam-47-email-examples.zip 161 kB (161,434 bytes)
- 47 .eml files ranging from 16,891 to 17120 bytes
- Traffic: 2019-01-16-Hancitor-infection-traffic-with-Ursnif.pcap.zip 405 kB (405,401 bytes)
- 2019-01-16-Hancitor-infection-traffic-with-Ursnif.pcap (767,878 bytes)
- Malware: 2019-01-16-malware-from-Hancitor-infected-host.zip 275 kB (275,385 bytes)
- 2019-01-16-Hancitor-binary-retrieved-by-Excel-macro.exe (94210 bytes)
- 2019-01-16-Ursnif-retrieved-by-Hancitor-infected-host.exe (236,032 bytes)
- 2019-01-16-downloaded-Excel-speadsheet-with-macro-for-Hancitor.xls (274,432 bytes)
NOTES:
- Today's blog includes indicators already tweeted/posted by @mesa_matt (link to tweet).
- As always, my thanks to everyone who keeps an eye on this malspam, reports about it near-real-time on Twitter, and helps me get copies of the malspam to share.
Shown above: Flow chart for recent Hancitor malspam infections.
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domains and URLs:
- 800lasallepark[.]ca
- 800lasallepark[.]com
- auctionhauz[.]ca
- gsgroupco[.]ca
- guildwoodcondos[.]com
- lasalleparkliving[.]ca
- lasalleparkliving[.]com
- lasalleparkresidences[.]com
- ockickfit[.]com
- reserveithome[.]com
- rezerevit[.]com
- ledbabdintot[.]com
- ofheptonsfi[.]ru
- netedingof[.]ru
- hxxp://jenrobin[.]com/wp-content/plugins/mailchimp-for-wp/1
- hxxp://jenrobin[.]com/wp-content/plugins/mailchimp-for-wp/2
- hxxp://jenrobin[.]com/wp-content/plugins/mailchimp-for-wp/3
- hxxp://kevinalves[.]com/wp-content/plugins/w3-total-cache/inc/1
- hxxp://kevinalves[.]com/wp-content/plugins/w3-total-cache/inc/2
- hxxp://kevinalves[.]com/wp-content/plugins/w3-total-cache/inc/3
- hxxp://emilyhendrie[.]com/wp-content/plugins/jetpack/modules/1
- hxxp://emilyhendrie[.]com/wp-content/plugins/jetpack/modules/2
- hxxp://emilyhendrie[.]com/wp-content/plugins/jetpack/modules/3
- hxxp://salshakenwrap[.]com/wp-content/plugins/mailchimp/lib/1
- hxxp://salshakenwrap[.]com/wp-content/plugins/mailchimp/lib/2
- hxxp://salshakenwrap[.]com/wp-content/plugins/mailchimp/lib/3
- api.ex100p[.]at
- ax.ikobut[.]at
- beetfeetlife[.]bit
- core.cnboal[.]at
- extra.avareg[.]cn
- f1.cnboal[.]at
- foo.avaregio[.]at
- g2.ex100p[.]at
- in.termas[.]at
- op.basedok[.]at
- pop.muongo[.]at
- sm.dvloop[.]at
- xxx.lapoder[.]at
MALSPAM DATA
Shown above: Screenshot from one of the emails.
DATA FROM 47 EMAIL EXAMPLES:
- Date: Wed, 16 Jan 2019 as early as 15:06 UTC through at least 18:43 UTC
- From: "PayPal Inc" <paypal@drfussellsoffice.com>
- From: "PayPal Invoice Service" <paypal@drfussellsoffice.com>
- From: "PayPal Services" <paypal@drfussellsoffice.com>
- Subject: PayPal Message
- Subject: PayPal Invoice Message
- Subject: PayPal Invoice Notice
- Subject: PayPal Invoice Notification
- Subject: PayPal Automated Message
- Subject: PayPal Automated Notice
- Subject: PayPal Automated Notification
- Subject: PayPal Automated Invoice Message
- Subject: PayPal Automated Invoice Notice
- Subject: PayPal Automated Invoice Notification
- Subject: PayPal Automatic Message
- Subject: PayPal Automatic Notice
- Subject: PayPal Automatic Notification
- Subject: PayPal Automatic Invoice Message
- Subject: PayPal Automatic Invoice Notice
- Subject: PayPal Electronic Message
- Subject: PayPal Electronic Notice
- Subject: PayPal Electronic Notification
- Subject: PayPal Electronic Invoice Notice
- Subject: PayPal Electronic Invoice Notification
- Received: from drfussellsoffice.com ([12.109.16.58])
- Received: from drfussellsoffice.com ([12.45.130.50])
- Received: from drfussellsoffice.com ([139.60.59.98])
- Received: from drfussellsoffice.com ([50.239.76.242])
- Received: from drfussellsoffice.com ([65.157.99.75])
- Received: from drfussellsoffice.com ([70.102.241.100])
- Received: from drfussellsoffice.com ([70.61.145.82])
- Received: from drfussellsoffice.com ([71.14.210.162])
- Received: from drfussellsoffice.com ([72.176.162.206])
- Received: from drfussellsoffice.com ([96.76.95.230])
- Received: from drfussellsoffice.com ([152.179.144.130])
- Received: from drfussellsoffice.com ([173.246.255.76])
- Received: from drfussellsoffice.com ([192.65.138.25])
- Received: from drfussellsoffice.com ([216.130.144.155])
- Received: from drfussellsoffice.com (23-24-96-78-static.hfc.comcastbusiness.net [23.24.96.78])
- Received: from drfussellsoffice.com (24-181-105-27.static.leds.al.charter.com [24.181.105.27])
- Received: from drfussellsoffice.com (50-251-86-105-static.hfc.comcastbusiness.net [50.251.86.105])
- Received: from drfussellsoffice.com (68-188-71-194.static.stls.mo.charter.com [68.188.71.194])
- Received: from drfussellsoffice.com (96-65-154-214-static.hfc.comcastbusiness.net [96.65.154.214])
- Received: from drfussellsoffice.com (96-89-163-241-static.hfc.comcastbusiness.net [96.89.163.241])
- Received: from drfussellsoffice.com (156-019-134-170.static.chtrptr.net [156.19.134.170])
- Received: from drfussellsoffice.com (173-16-153-170.client.mchsi.com [173.16.153.170])
- Received: from drfussellsoffice.com (173-21-25-192.client.mchsi.com [173.21.25.192])
- Received: from drfussellsoffice.com (c-71-235-229-4.hsd1.ct.comcast.net [71.235.229.4])
- Received: from drfussellsoffice.com (c-73-132-138-136.hsd1.dc.comcast.net [73.132.138.136])
- Received: from drfussellsoffice.com (c-73-132-204-156.hsd1.dc.comcast.net [73.132.204.156])
- Received: from drfussellsoffice.com (cblmdm170-253-139-175.maxxsouthbb.net [170.253.139.175])
- Received: from drfussellsoffice.com (cpe-70-119-253-232.tx.res.rr.com [70.119.253.232])
- Received: from drfussellsoffice.com (cpe-74-72-138-117.nyc.res.rr.com [74.72.138.117])
- Received: from drfussellsoffice.com (dsl-066-037-088-090.citizip.com [66.37.88.90])
- Received: from drfussellsoffice.com (hb.scu-mobile.org [12.150.236.34])
- Received: from drfussellsoffice.com (rrcs-24-97-103-170.nys.biz.rr.com [24.97.103.170])
- Received: from drfussellsoffice.com (rrcs-70-63-229-90.midsouth.biz.rr.com [70.63.229.90])
- Received: from drfussellsoffice.com (rrcs-147-0-240-146.central.biz.rr.com [147.0.240.146])
- Received: from drfussellsoffice.com (rrcs-208-125-2-58.nyc.biz.rr.com [208.125.2.58])
- Received: from drfussellsoffice.com (static-72-68-134-154.nycmny.fios.verizon.net [72.68.134.154])
- Received: from drfussellsoffice.com (static-100-2-196-21.nycmny.fios.verizon.net [100.2.196.21])
- Received: from drfussellsoffice.com (static-100-38-139-34.nycmny.fios.verizon.net [100.38.139.34])
- Received: from drfussellsoffice.com (static-198-211-150-226.earthlinkbusiness.net [198.211.150.226])
- Received: from drfussellsoffice.com (wsip-70-182-4-198.lf.br.cox.net [70.182.4.198])
Shown above: Malicious Word document downloaded from link in the malspam.
TRAFFIC
LINKS IN THE EMAILS TO DOWNLOAD THE WORD DOCUMENT:
- hxxp://800lasallepark[.]ca?[string of characters]=[encoded string representing recipient's email address]
- hxxp://800lasallepark[.]com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://auctionhauz[.]ca?[string of characters]=[encoded string representing recipient's email address]
- hxxp://gsgroupco[.]ca?[string of characters]=[encoded string representing recipient's email address]
- hxxp://guildwoodcondos[.]com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://lasalleparkliving[.]ca?[string of characters]=[encoded string representing recipient's email address]
- hxxp://lasalleparkliving[.]com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://lasalleparkresidences[.]com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://ockickfit[.]com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://reserveithome[.]com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://rezerevit[.]com?[string of characters]=[encoded string representing recipient's email address]
Shown above: HTTP traffic from today's infection filtered in Wireshark.
Shown above: DNS traffic from today's infection filtered in Wireshark.
INITIAL HANCITOR INFECTION TRAFFIC:
- 47.74.2[.]183 port 80 - auctionhauz[.]ca - GET /?[string of characters]=[encoded string representing recipient's email address]
- port 80 - api.ipify.org - GET /
- 77.72.134[.]167 port 80 - ledbabdintot[.]com - POST /4/forum.php
- 77.72.134[.]167 port 80 - ledbabdintot[.]com - POST /mlu/about.php
- 77.72.134[.]167 port 80 - ledbabdintot[.]com - POST /d2/about.php
- 192.254.225[.]163 port 80 - jenrobin[.]com - GET /wp-content/plugins/mailchimp-for-wp/1
- 192.254.225[.]163 port 80 - jenrobin[.]com - GET /wp-content/plugins/mailchimp-for-wp/2
- 192.254.225[.]163 port 80 - jenrobin[.]com - GET /wp-content/plugins/mailchimp-for-wp/3
- 192.232.218[.]126 port 80 - kevinalves[.]com - GET /wp-content/plugins/w3-total-cache/inc/1
- 192.232.218[.]126 port 80 - kevinalves[.]com - GET /wp-content/plugins/w3-total-cache/inc/2
- 192.232.218[.]126 port 80 - kevinalves[.]com - GET /wp-content/plugins/w3-total-cache/inc/3
- 192.254.234[.]16 port 80 - emilyhendrie[.]com - GET /wp-content/plugins/jetpack/modules/1
- 192.254.234[.]16 port 80 - emilyhendrie[.]com - GET /wp-content/plugins/jetpack/modules/2
- 192.254.234[.]16 port 80 - emilyhendrie[.]com - GET /wp-content/plugins/jetpack/modules/3
- 50.87.146[.]83 port 80 - salshakenwrap[.]com - GET /wp-content/plugins/mailchimp/lib/1
- 50.87.146[.]83 port 80 - salshakenwrap[.]com - GET /wp-content/plugins/mailchimp/lib/2
- 50.87.146[.]83 port 80 - salshakenwrap[.]com - GET /wp-content/plugins/mailchimp/lib/3
URSNIF POST-INFECTION HTTP TRAFFIC:
- 185.176.26[.]66 port 80 - g2.ex100p[.]at - GET /webstore/[long string of characters]
- 185.176.26[.]66 port 80 - beetfeetlife[.]bit - GET /webstore/[long string of characters]
URSNIF POST-INFECTION DNS TRAFFIC:
- 5.189.170[.]196 port 53 (UDP) - DNS queries for Ursnif domains
- 68.183.70[.]217 port 53 (UDP) - DNS queries for Ursnif domains
- 82.196.9[.]45 port 53 (UDP) - DNS queries for Ursnif domains
- 94.247.43[.]254 port 53 (UDP) - DNS queries for Ursnif domains
- 150.249.149[.]222 port 53 (UDP) - DNS queries for Ursnif domains
- 151.80.222[.]79 port 53 (UDP) - DNS queries for Ursnif domains
- 158.69.160[.]164 port 53 (UDP) - DNS queries for Ursnif domains
- 159.89.249[.]249 port 53 (UDP) - DNS queries for Ursnif domains
- 178.17.170[.]179 port 53 (UDP) - DNS queries for Ursnif domains
- 188.165.200[.]156 port 53 (UDP) - DNS queries for Ursnif domains
- 192.71.245[.]208 port 53 (UDP) - DNS queries for Ursnif domains
- 207.148.83[.]241 port 53 (UDP) - DNS queries for Ursnif domains
- 217.144.132[.]148 port 53 (UDP) - DNS queries for Ursnif domains
- 217.144.135[.]7 port 53 (UDP) - DNS queries for Ursnif domains
URSNIF DOMAINS IN THE DNS QUERIES:
- api.ex100p[.]at
- ax.ikobut[.]at
- beetfeetlife[.]bit
- core.cnboal[.]at
- extra.avareg[.]cn
- f1.cnboal[.]at
- foo.avaregio[.]at
- g2.ex100p[.]at
- in.termas[.]at
- op.basedok[.]at
- pop.muongo[.]at
- sm.dvloop[.]at
- xxx.lapoder[.]at
FILE HASHES
MALWARE RETRIEVED FROM MY INFECTED WINDOWS HOST:
- SHA256 hash: b5818529e226a30591eb4cddee881538f19509dd139e099bb056d8e8ce5ac055
File size: 274,432 bytes
File name: invoice_947531.xls (random numbers in the file name)
File description: Excel spreadsheet downloaded from a link in Hancitor malspam. Has macro to cause Hancitor infection.
- SHA256 hash: 1199b24d407ccdddf83fafaf8d63e971edaafded99214bee6b2ad4906729e4d7
File size: 94,210 bytes
File location: C:\Users\[username]\AppData\Local\Temp\6fsdFfa.com
File location: C:\Users\[username]\AppData\Local\Temp\6.pif
File description: Hancitor malware binary caused by macro in downloaded Excel spreadsheet
- SHA256 hash: d31f2993ec21c24064ce1f2987e10bfe271103880777b476c0d1812423c1c4b0
File size: 236,032 bytes
File location: C:\Users\[username]AppData\Local\Temp\BNCD5C.tmp (random hex characters in file name)
File description: Ursnif on 2019-01-16 retreived by Hancitor-infected host
FINAL NOTES
Once again, here are the associated files:
- Email examples: 2019-01-16-Hancitor-malspam-47-email-examples.zip 161 kB (161,434 bytes)
- Traffic: 2019-01-16-Hancitor-infection-traffic-with-Ursnif.pcap.zip 405 kB (405,401 bytes)
- Malware: 2019-01-16-malware-from-Hancitor-infected-host.zip 275 kB (275,385 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.