Today's diary reviews noteworthy changes in recent malicious spam (malspam) pushing Hancitor.
Background: Malspam pushing Hancitor (also known as Chanitor or Tordal) is a long-running campaign I frequently document on my malware traffic analysis blog. Infections from this malspam tend to follow predictable patterns and usually end with Zeus Panda Banker as the follow-up malware. However, this campaign occasionally tries new techniques or sends different follow-up malware.
In recent months, a baseline Hancitor infection used Word macros to push Pony malware and Evil Pony to system RAM, and it also pushed Zeus Panda Banker to disk as a persistent follow-up infection.
However, last week we noticed some changes. I documented a wave of Hancitor malspam on Monday 2018-10-22 that only pushed Pony malware and didn't send Zeus Panda Banker. This week, a Hancitor infection on Monday 2018-10-29 sent Ursnif as the follow-up malware.
Malspam from this campaign spoofs different online services, and Monday's example spoofed HelloFax. As a deception technique, this campaign also spoofs domains from legitimate businesses. Monday's example spoofed warrencountyga.com. Neither HelloFax nor Warren County GA are actually involved with this malspam. Criminals behind this campaign were simply impersonating names and domains from those two organizations.
Various elements in the email headers change from email to email in this malspam. For example, subject lines, X-Mailer lines, and even names associated with spoofed sending addresses can change each message.
The downloaded Word document
Links from these messages are designed to download a malicious Word document. Opening one of these Word documents and enabling macros will infect a vulnerable Windows host.
Researchers like @James_inthe_box quickly figured out follow-up malware from these infections was Ursnif instead of Zeus Panda Banker. @Mesa_matt pointed out the Word macro checked for Malwarebytes on an infected Windows host.
This got me curious, so I used Officemalscanner to extract macros from the downloaded Word doc. Reviewing the macros showed code that checked for the following antivirus solutions:
Infection traffic was similar to previous Hancitor infections I've recently generated in my lab, except there was no Zeus Panda Banker infection traffic. Instead, I saw post-infection traffic for Ursnif.
Malware from an infected Windows host
Malware from this infection was not persistent. It did not survive a reboot of my infected Windows host. Like Zeus Panda Banker from previous Hancitor infections, follow-up Ursnif malware was saved to the victim's AppData\Local\Temp folder as a .tmp file. Unlike previous Zeus Panda Banker infections, Ursnif malware from this infection did not copy itself anywhere else. It ran as the same .tmp file and was not made persistent to survive a reboot.
Indicators of traffic from my infected lab host follow:
Downloading the Word document from a link in the email:
IP address check by the infected Windows host--not inherently malicious on its own:
Traffic for the follow-up malware (Pony, Evil Pony, and Ursnif):
Post-infection traffic for Hancitor, Pony, and Evil Pony:
Post-infection traffic for Ursnif:
DNS queries for additional Ursnif domains:
Malware retrieved from my infected lab host follows:
My standard warning still applies. Properly-administered Windows hosts are not susceptible to this type of infection. However, for a variety of reasons, many people run older versions of Windows that are not fully patched or up-to-date. That's why criminals continue to run these malspam campaigns. As long as a small percentage generates a successful infection, these campaigns will remain profitable.
My background is not in system administration, so I don't have details on tools like SRP or AppLocker that can help prevent these malspam-based attacks. My previous diary has a comment about an article from Aaron Margosis to simplify AppLocker deployment (link). For those with Office 2013 and later versions, you have an option to block macros in documents downloaded from the Internet (link).
If you find this diary helpful or have any suggested improvements, please leave a comment.
Email examples, pcap, and malware associated with today's diary can be found here.
Oct 30th 2018
3 weeks ago