Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Hancitor/Pony malspam - SANS Internet Storm Center SANS ISC InfoSec Forums

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Hancitor/Pony malspam


It's been one month since my last diary on malcious spam (malspam) with links to malicious Word documents containing Hancitor [1].  Back then, we saw Hancitor use Pony to download Vawtrak malware.  Since then, I've seen indicators for this type of malspam on a near-daily basis.

Recently, these emails have stopped leading to Vawtrak.  Instead, I'm now seeing malware that triggers alerts for Terdot.A [2, 3, 4, 5, 6, 7].  Tools from my employer identify this malware as DELoader, and a Google search indicates Terdot.A and DELoader are the same thing.

For now, I'm keeping my flow chart open on the final malware.  With that in mind, let's take a look at some infection traffic generated on Thursday 2017-02-09 based on one of these emails.

Shown above: Flow chart for the infection process.

The email

These emails generally have different subject lines each day, and they have spoofed sending addresses.  The example I saw on 2017-02-09 was a fake message about a money transfer.  It's similar to a wave of malspam seen the day before.

  • Date:  Thursday, 2017-02-09 16:05 UTC
  • Received:  from   [spoofed host name]
  • Message-ID:  <>
  • From:  "Polsinelli LLP" <>   [spoofed sender]
  • Subject:  RE:RE: wife tf

The link from the email contains a base64-encoded string representing the recipient's email address.  Based on that string, the downloaded file will have the recipient's name from the email address.  I used a base64 string for a made-up email address and received a file named bofa_statement_marci.jones.doc.

Shown above:  Fake money transfer email with link to a Word document.

The link from the malspam downloaded a Microsoft Word document.  The document contains a malicious VB macro described as Hancitor, Chanitor or Tordal.  I generally call it Hancitor.  If you enable macros, the document retrieves a Pony downloader DLL.  At first, I thought Pony was retrieving the DELoader malware; however, another researcher told me it's Hancitor that grabs DELoader.  I haven't had time to investigate; however, I probably need to update my flowchart.

Shown above:  Retrieving the Hancitor Word document from the email link.

Shown above:  Enabling macros will activate Hancitor.

The traffic

Pattern-wise, URLs from this infection are similar to previous cases of Hancitor/Pony malspam reported I've seen during the past week or two.

Shown above:  Infection traffic after activating macros in the Word document.

Alerts show post-infection traffic for Terdot.A/Zloader, which is consistent with recent infections I've seen for malware identified as DELoader.

Shown above:  Alerts on the traffic using Security Onion with Suricata and the ETPRO ruleset.

Indicators of Compromise (IOCs)

Email link noted on Thursday 2017-02-09 to download the Hancitor Word document:

  • port 80 - - GET /api/get.php?id=[base64 string]

Traffic after enabling macros on the Word document:

  • - GET /   [IP address check]
  • port 80 - - POST /ls5/forum.php   [Hancitor callback]
  • port 80 - - POST /klu/forum.php   [Hancitor callback]
  • port 80 - - GET /blog/wp-content/themes/sketch/1   [call for Pony DLL]
  • port 80 - - GET /1   [call for Pony DLL]
  • port 80 - - GET /wp-content/themes/sketch/1   [call for Pony DLL]
  • port 80 - - GET /blog/wp-content/themes/sketch/a1   [call for DELoader]
  • port 80 - - GET /a1   [call for DELoader]
  • port 80 - - GET /wp-content/themes/sketch/a1   [call for DELoader]
  • port 80 - - POST /bdk/gate.php   [DELoader callback]

Associated file hashes:

Final words

As this campaign progresses, IOCs will continue to change, and I'm sure traffic patterns will continue to evolve.

Pcap and malware for this diary can be found here.

Brad Duncan
brad [at]




299 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!