Threat Level: green Handler on Duty: Renato Marinho

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Hancitor malspam uses DDE attack

Published: 2017-10-17
Last Updated: 2017-10-17 00:29:17 UTC
by Brad Duncan (Version: 1)
0 comment(s)

Introduction

Malicious spam (malspam) pushing Hancitor malware (also known as Chanitor or Tordal) changed tactics on Monday 2017-10-16.  Instead of pushing Microsoft Word documents with malicious macros, this malspam began pushing Word documents taking advantage of Microsoft's Dynamic Data Exchange (DDE) technique.  According to BleepingComputer, attacks using this technique have existed since the early 90s, but DDE has gained notoriety in the past few weeks due to a series of recent reports.  (Use a search engine for "DDE attack" or "DDE exploit" to find some results).

Ultimately, these DDE attacks are somewhat less effective than malicious macros, and Microsoft maintains DDE functionality is not a vulnerability.  Victims must click through several warnings to get infected from these documents.  Otherwise, little has changed for infection characteristics noted in my previous diary covering Hancitor malspam last month.  Today's diary examines a wave of Hancitor malspam from Monday, 2017-10-16.

The emails

Monday's wave used a DocuSign template we've seen before from Hanictor malspam.  Several people on Twitter also saw Monday's malspam, including @cheapbyte, @GossiTheDog, @James_inthe_box, @noottrak, and @Ring0x0.  Links from the emails went to newly-registered domains that returned a malicious Word document.


Shown above:  An example of the malspam.

The Word document

I tried a link from the emails in Windows 10 running Office365.  As usual, people must ignore various warnings to kick off an infection.  First, because the Word document was downloaded from the Internet, I had to enable editing to escape Protected View.  Then, I had to click through three dialogue windows to infect my Windows host.


Shown above:  Following a link from one of the emails.


Shown above:  Escaping Protected View by enabling editing.


Shown above:  1st dialogue box (1 of 3).


Shown above:  2nd dialogue box (2 of 3).


Shown above:  3rd dialogue box (3 of 3).

The traffic

Traffic remains the same as last time, except we find an HTTP GET request for a Hancitor (or a Hancitor-related) executable after the document is downloaded.  Previously, this initial malware was part of the malicious document macro.  However, with this DDE attack, the initial executable is downloaded separately.


Shown above:  Traffic from an infection filtered in Wireshark.

Indicators of compromise (IOCs)

Emails collected:

  • Date/Time:  Monday 2017-10-16 as early as 14:50 UTC thru at least 16:11 UTC
  • Subject:  Your document Receipt [random 5-digit number] for [recipient's name] is ready for signature!
  • Sending email address (spoofed):  "Benjamin Garcia via DocuSign" <dse@longconsult.com>
  • Sending email address (spoofed):  "Carrie Robinson via DocuSign" <dse@longconsult.com>
  • Sending email address (spoofed):  "Carrie Stanley via DocuSign" <dse@longconsult.com>
  • Sending email address (spoofed):  "Mary Garcia via DocuSign" <dse@longconsult.com>
  • Sending email address (spoofed):  "Monique Clark via DocuSign" <dse@longconsult.com>
  • Sending email address (spoofed):  "Monique Wilson via DocuSign" <dse@longconsult.com>
  • Sending email address (spoofed):  "Saul Walker via DocuSign" <dse@longconsult.com>
  • Received: from longconsult.com ([45.49.169.80])
  • Received: from longconsult.com ([68.98.214.133])
  • Received: from longconsult.com ([68.188.99.59])
  • Received: from longconsult.com ([173.209.154.162])
  • Received: from longconsult.com ([205.144.215.157])
  • Received: from longconsult.com ([208.181.214.155])

Links from the malspam:

  • bridlewoodpark[.]ca
  • celebration-living[.]ca
  • celebration-living[.]com
  • cloudninecondos[.]com
  • condoallure[.]com
  • donmillstowns[.]ca
  • me2condominium[.]com
  • me2condominiums[.]com
  • thelashgroup[.]ca
  • tier1mc[.]com
  • westkanresidential[.]ca
  • westkanresidential[.]com
  • woodstockliving[.]ca
  • y2mediagroup[.]ca
  • y2mediagroup[.]com

Traffic noted during while infecting hosts in my lab:

  • 34.213.214.65 port 80 - frontiertherapycenter[.]com - GET /16.exe
  • 185.82.217.224 port 80 - frontiertherapycenter[.]com - GET /16.exe
  • 185.124.188.82 port 80 - aningrolcoligh[.]ru - POST /ls5/forum.php
  • 91.215.169.131 port 80 - tontoftguthat[.]com - POST /ls5/forum.php
  • 91.215.169.131 port 80 - tontoftguthat[.]com - POST /mlu/forum.php
  • 91.215.169.131 port 80 - tontoftguthat[.]com - POST /d2/about.php
  • 27.121.64.185 port 80 - leicam[.]com[.]au - GET /1
  • 23.228.100.130 port 80 - www.stressbenders[.]com - GET /1
  • 23.228.100.130 port 80 - www.stressbenders[.]com - GET /2
  • 23.228.100.130 port 80 - www.stressbenders[.]com - GET /3
  • 185.147.82.80 port 80 - davenyhes[.]com - POST /bdl/gate.php 
  • api.ipify.org - GET / (location check by the infected host)
  • checkip.dyndns.org - GET / (location check by the infected host)
  • Various IP addresses, various ports - Tor traffic
  • 10.0.2.2 port 443 - TCP SYN packet sent every 5 minutes 

Artifacts from an infected host:

SHA256 hash: f945105f5a0bc8ea0d62a28ee62883ffc14377b6abec2d0841e88935fd8902d3

  • File name:  receipt_[6 random digits].doc
  • File description:  Word document using DDE attack technique

SHA256 hash:  a647d12d6298c8aef225d77f1e2b605ae78fadd7360ab0c48363d2e461612150

  • File location:  C:\Users\[username]\AppData\Local\Temp\tvs.exe
  • File description:  Hancitor or Hancitor-related executable

SHA256 hash:  8f94cee61a76c7b9612381978876dcd996c15ae8da50fd75d700a05df571d10a

  • File location:  C:\Users\[username]\AppData\Local\Temp\tvs.exe
  • File description:  Hancitor or Hancitor-related executable seen later on another infected host

SHA256 hash:  15e9493c4f50b672fe801108d31ac6660d1d5787e0c71964a935a893aab12032

  • File location:  C:\Users\[username]\AppData\Local\Temp\BN5A30.tmp
  • File location:  C:\Users\[username]\AppData\Roaming\Yhaba\ehyl.exe
  • File description:  DELoader/ZLoader

Final words

As mentioned earlier, these DDE attacks are no more effective than malicious macro-based attacks.  Each requires victims to click through a series of warnings to get infected.  Furthermore, it's relatively easy for system administrators (and the technically inclined) to follow best security practices on their Windows computers.  Using Software Restriction Policies (SRP) or AppLocker can easily prevent these types of malspam-based infections from occurring.

Traffic and malware samples for this diary can be found here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

Keywords: DDE Hancitor malspam
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

WPA2 "KRACK" Attack
Oct 16th 2017
1 day ago by Johannes (16 comments)

It's in the signature.
Oct 16th 2017
2 days ago by DidierStevens (1 comment)

Peeking into .msg files
Oct 15th 2017
3 days ago by DidierStevens (4 comments)

Version control tools aren't only for Developers
Oct 12th 2017
6 days ago by Xme (5 comments)

View All Diaries →

Latest Discussions

What's the goal?
created Oct 16th 2017
1 day ago by R (0 replies)

Configure Dshield Sensor honeypot to allow http through port 80?
created Oct 13th 2017
4 days ago by mrtexasfreedom (0 replies)

Live Malware hosting site (research)
created Oct 6th 2017
1 week ago by Anonymous (0 replies)

CVE-2017-5638 probe
created Oct 5th 2017
1 week ago by Anonymous (0 replies)

What is Adobe Experience Manager?
created Oct 5th 2017
1 week ago by Anonymous (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
3 months ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
2 months ago by Johannes (12 comments)

Maldoc with auto-updated link
Aug 17th 2017
2 months ago by Xme (2 comments)

OAUTH phishing against Google Docs ? beware!
May 3rd 2017
5 months ago by Bojan (6 comments)

Microsoft Patch Tuesday August 2017
Aug 8th 2017
2 months ago by Johannes (6 comments)