2017-12-13 - HANCITOR MALSPAM (EFAX-THEMED)
ASSOCIATED FILES:
- Zip archive of the pcap: 2017-12-13-Hancitor-malspam-traffic.pcap.zip 689 kB (688,944 bytes)
- 2017-12-13-Hancitor-malspam-traffic.pcap (961,426 bytes)
- Zip archive of 10 emails ins a single text file: 2017-12-13-Hancitor-malspam-emails.txt.zip 3.9 kB (3,906 bytes)
- 2017-12-13-Hancitor-malspam-emails.txt (86,603 bytes)
- Zip archive of the malware: 2017-12-13-malware-from-Hancitor-malspam.zip 465 kB (464,723 bytes)
- 2017-12-13-Hancitor-maldoc-eFax_979268.doc (257,024 bytes)
- 2017-12-13-IcedID-banking-Trojan-theatctaa.exe (765,952 bytes)
NOTES:
- Today, post-infection malware from Hancitor malspam includes the Iced ID banking Trojan.
- It's been switching between Zeus Panda Banker and IcedID banking Trojan during the past two weeks or so.
- Of course, there's still Pony and Evil Pony (both fileless) also downloaded by Hancitor from the Word document macro.
- As always, thanks to @_jsoo_, @James_inthe_box, and others who contributed to the Twitter thread today.
- @James_inthe_box published additional indicators (link) that I've included in this report.
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domains and URLs:
- employup.net
- indycareerhubcarrier.com
- indycareerhubcarrier.net
- indycareerfuture.com
- indycareerhubrexnord.com
- indycareerhubrexnord.net
- leapindy.com
- leapindy.net
- leapindy.org
- youthworksindy.org
- hxxp://ancerapastanesi.com.tr/wp-content/plugins/posts-in-sidebar/1
- hxxp://ancerapastanesi.com.tr/wp-content/plugins/posts-in-sidebar/2
- hxxp://ancerapastanesi.com.tr/wp-content/plugins/posts-in-sidebar/3
- hxxp://doudoukids.com/wp-content/plugins/wp-super-cache/1
- hxxp://doudoukids.com/wp-content/plugins/wp-super-cache/2
- hxxp://doudoukids.com/wp-content/plugins/wp-super-cache/3
- hxxp://swiss-medical-int.ch/system/1
- hxxp://swiss-medical-int.ch/system/2
- hxxp://swiss-medical-int.ch/system/3
- hxxp://swiss-vision.com/includes/1
- hxxp://swiss-vision.com/includes/2
- hxxp://swiss-vision.com/includes/3
- hxxp://www.tridenttechnolabs.com/wp-content/plugins/waving-portfolio/1
- hxxp://www.tridenttechnolabs.com/wp-content/plugins/waving-portfolio/2
- hxxp://www.tridenttechnolabs.com/wp-content/plugins/waving-portfolio/3
- cilysitma.com
- hersandsinref.ru
- inleftwronhes.ru
- arcadyflyff.com
- binncu.net
- cupicratings.com
- freegameshacks.net
- gordondeen.net
EMAILS
Shown above: Screenshot from one of the emails.
Shown above: Screenshot from another one of the emails.
EMAIL HEADERS:
- Date/Time: Wednesday 2017-12-13 as early as 15:43 UTC through at least 17:32 UTC
- Received: from pdtechnologiesinc.com ([184.156.42.122])
- Received: from autumnfire.com ([216.174.138.18])
- Received: from autumnfire.com ([23.31.119.241])
- Received: from autumnfire.com ([66.55.14.10])
- Received: from autumnfire.com ([70.195.213.212])
- Received: from autumnfire.com ([8.46.162.38])
- Received: from autumnfire.com ([184.169.59.9])
- Received: from autumnfire.com ([205.201.68.70])
- Received: from autumnfire.com ([97.90.191.214])
- Received: from autumnfire.com ([74.205.144.158])
- From: "eFax.com" <efax@pdtechnologiesinc.com>
- From: "eFax Inc" <efax@autumnfire.com>
- Subject: New incoming fax from 1-610-411-3668 on Wed, 13 Dec 2017 09:41:52 -0600
- Subject: New incoming fax from 1-390-527-4832
- Subject: New incoming fax from 1-390-231-0704 on Wed, 13 Dec 2017 09:12:07 -0700
- Subject: New incoming fax from 1-390-230-4874 on Wed, 13 Dec 2017 10:27:55 -0600
- Subject: New incoming fax from 1-390-741-6256 on Wed, 13 Dec 2017 10:36:27 -0600
- Subject: New incoming fax from 1-390-042-4444
- Subject: New incoming fax from 1-390-730-5172
- Subject: New incoming fax from 1-390-751-6837
- Subject: New incoming fax from 1-390-737-2538
- Subject: New incoming fax from 1-390-368-5265
Shown above: Malicious Word document from link in the malspam.
TRAFFIC
Shown above: Traffic from an infection filtered in Wireshark.
LINKS IN THE EMAILS TO THE WORD DOCUMENT:
- hxxp://employup.net/?[encoded string]=[encoded string representing recipient's email address]
- hxxp://indycareerhubcarrier.com/?[encoded string]=[encoded string representing recipient's email address]
- hxxp://indycareerhubcarrier.net/?[encoded string]=[encoded string representing recipient's email address]
- hxxp://indycareerfuture.com/?[encoded string]=[encoded string representing recipient's email address]
- hxxp://indycareerhubrexnord.com/?[encoded string]=[encoded string representing recipient's email address]
- hxxp://indycareerhubrexnord.net/?[encoded string]=[encoded string representing recipient's email address]
- hxxp://leapindy.com/?[encoded string]=[encoded string representing recipient's email address]
- hxxp://leapindy.net/?[encoded string]=[encoded string representing recipient's email address]
- hxxp://leapindy.org/?[encoded string]=[encoded string representing recipient's email address]
- hxxp://youthworksindy.org/?[encoded string]=[encoded string representing recipient's email address]
NETWORK TRAFFIC FROM MY INFECTED LAB HOST:
- 217.61.125.151 port 80 leapindy.com - GET /?[encoded string that includes data forrecipient's email address]
- api.ipify.org - GET /
- 185.43.223.31 port 80 cilysitma.com - POST /ls5/forum.php
- 185.43.223.31 port 80 cilysitma.com - POST /mlu/forum.php
- 185.43.223.31 port 80 cilysitma.com - POST /d2/about.php
- 223.26.59.163 port 80 doudoukids.com - GET /wp-content/plugins/wp-super-cache/1
- 223.26.59.163 port 80 doudoukids.com - GET /wp-content/plugins/wp-super-cache/2
- 223.26.59.163 port 80 doudoukids.com - GET /wp-content/plugins/wp-super-cache/3
- 46.148.26.106 port 443 arcadyflyff.com - HTTPS/SSL/TLS traffic from IcedID banking Trojan
- 46.148.26.106 port 443 localhost - HTTPS/SSL/TLS traffic from IcedID banking Trojan
- 46.148.26.106 port 443 jefchinloans.com - HTTPS/SSL/TLS traffic from IcedID banking Trojan
FILE HASHES
MALWARE RETRIEVED FROM THE INFECTED HOST:
- SHA256 hash: 4a2e03b591495b6ad0ec6442e483857625e866b27c6f71117d0a06fe79e072c3
File size: 257,024 bytes
File name: eFax_999278.doc
File description: Word document with macro for Hancitor
- SHA256 hash: e405334639b3b6a30689156d8273ddccdeba959cca268061d4cacb995b96be79
File size: 765,952 bytes
File location: C:\Users\[username]\AppData\Local\Temp\BN2EAD.tmp
File location: C:\Users\[username]\AppData\Local\hemansgol\theatctaa.exe
File description: IcedID banking Trojan
IMAGES
Shown above: IcedID banking Trojan persistent on the infected Windows host.
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the pcap: 2017-12-13-Hancitor-malspam-traffic.pcap.zip 689 kB (688,944 bytes)
- Zip archive of 10 emails ins a single text file: 2017-12-13-Hancitor-malspam-emails.txt.zip 3.9 kB (3,906 bytes)
- Zip archive of the malware: 2017-12-13-malware-from-Hancitor-malspam.zip 465 kB (464,723 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.