Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Hancitor/Pony/Vawtrak malspam - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Hancitor/Pony/Vawtrak malspam

Introduction

Until recently, I hadn't personally seen much malicious spam (malspam) using Microsoft office documents with Hancitor-based Visual Basic (VB) macros to send Pony and Vawtrak.  It still happens, though.  Occasionally, I'll find a report like this one from 2016-12-19, where Hancitor/Pony/Vawtrak malspam was disguised as a LogMeIn account notification, but I rarely come across an example on my own.  And apparently, there's been a recent lull in Hancitor/Pony/Vawtrak malspam until yesterday.

This diary describes a wave of Hancitor/Pony/Vawtrak malspam from Tuesday 2017-01-10.

The malspam

The example I saw was a fake parking ticket notification.

  • Date/Time:  Tuesday, 2017-01-10 20:25:41 UTC
  • Received from:  kennedyslaw.com
  • Message-Id:  c016c66e.baa60320@kennedyslaw.com
  • From:  office@kennedyslaw.com
  • Subject:  RE: RE: parking ticket


Shown above:  The fake parking ticket notification with a link to a Word document.

The link from the malspam downloaded a Microsoft Word document.  The document contains a malicious VB macro described has Hancitor, Chanitor or Tordal.  I generally call it Hancitor.  If you enable macros, the document retrieves a Pony downloader DLL.  The Pony downloader then retrieves and installs Vawtrak malware.


Show above:  Flow chart of the infection process.

The link from the email contains a base64-encoded string representing the recipient's email address.  Based on that string, the downloaded file will have the recipient's name from the email address.  I used a base64 string for bert@shotts123.com (a made-up name/address) and received a file named parking_bert.doc.


Shown above:  Retrieving the Hancitor Word document from the email link.


Shown above:  Enabling macros will activate Hancitor.

The traffic

Pattern-wise, URLs from this infection are similar to previous cases of Hancitor/Pony/Vawtrak malspam reported during the past two or three months.


Shown above:  Infection traffic after activating macros in the Word document.

You won't see any Vawtrak-specific activity until you start your browser and try to look at a something.  Once you do, you'll see Vawtrak callback traffic.


Shown above:  Vawtrak callback traffic seen only after trying to browse the web.


Shown above:  Alerts on the traffic using Security Onion with Suricata and the ETPRO ruleset.

Indicators of Compromise (IOCs)

Email links noted on Tuesday 2017-01-10 to download the Hancitor Word document:

  • 202.189.180.194 port 80 - www.dreampark.co.jp - GET /api/get.php?id=[base64 string]
  • 123.30.182.73 port 80 - www.thienyhotel.vn - GET /api/get.php?id=[base64 string]

Traffic after enabling macros on the Word document:

  • api.ipify.org - GET /   [IP address check]
  • 80.78.251.134 port 80 - tinhorecrin.com - POST /ls5/forum.php   [Hancitor callback]
  • 80.78.251.134 port 80 - tinhorecrin.com - POST /klu/forum.php   [Hancitor callback]
  • 80.78.251.134 port 80 - tinhorecrin.com - POST /borjomi/gate.php   [Hancitor callback]
  • 206.196.99.49 port 80 - www.mi4nd.com - GET /wp-includes/pm1.dll   [DLL for Pony]
  • 206.196.99.49 port 80 - www.mi4nd.com - GET /wp-includes/pm2.dll   [DLL for Pony]
  • 178.77.97.61 port 80 - www.worstofbreed.net - GET /wp-content/themes/redoable/inst.exe   [EXE for Vawtrak]

Vawtrak traffic noted after trying to browse the web:

  • 94.242.55.154 port 80 - 94.242.55.154 - HTTP post-infection Vawtrak callback
  • 94.242.55.154 port 443 - geholso.com - HTTPS/SSL/TLS post-infection Vawtrak callback
  • 5.196.129.108 port 443 - ojfbgnruqe.com - HTTPS/SSL/TLS post-infection Vawtrak callback

Associated file hashes:

Final words

Speaking as a security professional, we often become jaded as yet another wave of malspam does the same thing it's done before.  Patterns behind such activity are often well-documented.  So why bother with discussion, if there's nothing new?  Why bother talking about it, when we have the technical means to prevent these types of infections?

Why indeed!  That attitude only encourages the criminal groups behind malspam.  For various reasons, many environments don't follow best security practices, and they're still vulnerable.  If we discuss on-going waves of malspam in high-visibility forums like this one, more people will be aware of the threat.

I encourage security professionals to routinely check sites like blog.dynamoo.com, myonlinesecurity.co.uk, and techhelplist.com.  Many folks also have Twitter channels with even more timely updates.

If you know any blogs or Twitter channels you find helpful, feel free to leave a comment below.  Let's keep the discussion going!

Pcap and malware for this diary can be found here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

 Brad

306 Posts
ISC Handler
Reply Subscribe Jan 11th 2017
1 year ago
Quote:Why bother talking about it, when we have the technical means to prevent these types of infections?


The technical means you refer to disable the first weak point (alias attack vector) only.
EVERY administrator should but exercise defense in depth, ie. disable the other weak points used here too, ie. disable execution in data directories, or employ W^X in the (NTFS) filesystem: no properly written Windows application executes code from %TEMP% or %APPDATA% or %USERPROFILE% or any other user-writable location.

Use SAFER alias SRPv1 or AppLocker alias SRPv2 to enforce that!
 Brad
146 Posts Posts
Reply Quote Jan 12th 2017
1 year ago

Sign Up for Free or Log In to start participating in the conversation!