2017-12-21 - HANCITOR INFECTION WITH ZEUS PANDA BANKER
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- Zip archive of 33 emails: 2017-12-21-Hancitor-malspam-33-examples.zip 33.6 kB (33,611 bytes)
- Zip archive of the pcap: 2017-12-21-Hancitor-infection-wth-Zeus-Panda-Banker.pcap.zip 490.8 kB (490,802 bytes)
- Zip archive of the malware: 2017-12-21-malware-from-Hancitor-infection-with-Zeus-Panda-Banker.zip 223.7 kB (223,739 bytes)
NOTES:
- Today, post-infection malware from Hancitor malspam includes the Zeus Panda banking Trojan.
- Of course, there's still Pony and Evil Pony (both fileless) also downloaded by Hancitor from the Word document macro.
- As always, thanks to people like @fletchsec, @James_inthe_box, @Simpo13, and others who contributed to the Twitter discussion today.
- @James_inthe_box published additional indicators (link) that I've included in this report.
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domains and URLs:
- coffeedoesgood[.]com
- coffeeforles[.]us
- eciggystore[.]com
- ecigsforless[.]com
- eleanorlarsonart[.]com
- hybriscoach[.]com
- planetfriendlycoffee[.]com
- planetfriendlywater[.]com
- quickkups[.]com
- royalconnection[.]org
- royalconnectioncoffee[.]com
- tikihut[.]coffee
- tikihutcafe[.]com
- tikihutcoffee[.]biz
- tikihutcoffee[.]us
- utahrates[.]com
- andrejoter[.]com
- dokemyhed[.]ru
- vehopehers[.]ru
- hxxp[:]//boobsandbabes[.]com/1
- hxxp[:]//boobsandbabes[.]com/2
- hxxp[:]//boobsandbabes[.]com/3
- hxxp[:]//rutstudio[.]pl/1
- hxxp[:]//rutstudio[.]pl/2
- hxxp[:]//rutstudio[.]pl/3
- hxxp[:]//wingchun-giessen[.]de/wp-content/uploads/2014/06/1
- hxxp[:]//wingchun-giessen[.]de/wp-content/uploads/2014/06/2
- hxxp[:]//wingchun-giessen[.]de/wp-content/uploads/2014/06/3
- hxxp[:]//www.americanfreethought[.]com/wordpress/1
- hxxp[:]//www.americanfreethought[.]com/wordpress/2
- hxxp[:]//www.americanfreethought[.]com/wordpress/3
- hxxp[:]//www.emilianobursese.com[.]ar/wp-content/plugins/bulletproof-security/1
- hxxp[:]//www.emilianobursese.com[.]ar/wp-content/plugins/bulletproof-security/2
- hxxp[:]//www.emilianobursese.com[.]ar/wp-content/plugins/bulletproof-security/3
- kedfortmoleft.ru
EMAILS
Shown above: Screenshot from one of the emails.
EMAIL HEADERS:
- Date/Time: Thursday 2017-12-21 as early as 15:28 through at least 20:07 UTC
- Subject: RE: FW: december billing invoice
- Received: from nortconsulting[.]net ([12.186.237[.]244])
- Received: from nortconsulting[.]net ([24.43.195[.]254])
- Received: from nortconsulting[.]net ([24.119.166[.]10])
- Received: from nortconsulting[.]net ([24.159.72[.]85])
- Received: from nortconsulting[.]net ([24.183.26[.]75])
- Received: from nortconsulting[.]net ([24.222.94[.]46])
- Received: from nortconsulting[.]net ([50.249.244[.]57])
- Received: from nortconsulting[.]net ([50.79.52[.]5])
- Received: from nortconsulting[.]net ([64.60.13[.]226])
- Received: from nortconsulting[.]net ([67.52.227[.]178])
- Received: from nortconsulting[.]net ([67.77.243[.]36])
- Received: from nortconsulting[.]net ([68.236.205[.]98])
- Received: from nortconsulting[.]net ([69.15.124[.]81])
- Received: from nortconsulting[.]net ([69.161.91[.]237])
- Received: from nortconsulting[.]net ([70.88.231[.]82])
- Received: from nortconsulting[.]net ([71.12.100[.]6])
- Received: from nortconsulting[.]net ([71.191.193[.]11])
- Received: from nortconsulting[.]net ([72.4.5[.]34])
- Received: from nortconsulting[.]net ([72.87.93[.]93])
- Received: from nortconsulting[.]net ([73.233.73[.]224])
- Received: from nortconsulting[.]net ([86.151.153[.]185])
- Received: from nortconsulting[.]net ([90.63.216[.]156])
- Received: from nortconsulting[.]net ([97.90.104[.]14])
- Received: from nortconsulting[.]net ([98.103.65[.]114])
- Received: from nortconsulting[.]net ([185.16.210[.]16])
- Received: from nortconsulting[.]net ([190.4.186[.]152])
- Received: from nortconsulting[.]net ([192.154.121[.]214])
- Received: from nortconsulting[.]net ([201.229.68[.]245])
- Received: from nortconsulting[.]net ([213.120.121[.]78])
- Received: from nortconsulting[.]net ([216.26.206[.]112])
- Received: from nortconsulting[.]net ([216.37.70[.]43])
- Received: from nortconsulting[.]net ([216.174.116[.]246])
- From (spoofed): "Alayna Croxton" <finance@nortconsulting[.]net>
- From (spoofed): "Alton Sangster" <finance@nortconsulting[.]net>
- From (spoofed): "Amos Coonrod" <finance@nortconsulting[.]net>
- From (spoofed): "Annalisa Benedict" <finance@nortconsulting[.]net>
- From (spoofed): "Antoinette Valentine" <finance@nortconsulting[.]net>
- From (spoofed): "Bernadine Daub" <finance@nortconsulting[.]net>
- From (spoofed): "Bronwyn Rambo" <finance@nortconsulting[.]net>
- From (spoofed): "Christiane Littles" <finance@nortconsulting[.]net>
- From (spoofed): "Clarinda Johnston" <finance@nortconsulting[.]net>
- From (spoofed): "Cornell Lowy" <finance@nortconsulting[.]net>
- From (spoofed): "Danilo Decaro" <finance@nortconsulting[.]net>
- From (spoofed): "Darryl Ryberg" <finance@nortconsulting[.]net>
- From (spoofed): "Gennie Haggard" <finance@nortconsulting[.]net>
- From (spoofed): "Heath Burroughs" <finance@nortconsulting[.]net>
- From (spoofed): "Junita Garcia" <finance@nortconsulting[.]net>
- From (spoofed): "Kirstie Mertz" <finance@nortconsulting[.]net>
- From (spoofed): "Kisha Escovedo" <finance@nortconsulting[.]net>
- From (spoofed): "Lesha Northington" <finance@nortconsulting[.]net>
- From (spoofed): "Letitia Foronda" <finance@nortconsulting[.]net>
- From (spoofed): "Margurite Schnee" <finance@nortconsulting[.]net>
- From (spoofed): "Monika Punch" <finance@nortconsulting[.]net>
- From (spoofed): "Soila Etienne" <finance@nortconsulting[.]net>
- From (spoofed): "Yahaira Hummer" <finance@nortconsulting[.]net>
- From (spoofed): "Yvette Mcclane" <finance@nortconsulting[.]net>
Shown above: Malicious Word document from link in the malspam.
TRAFFIC
Shown above: Traffic from an infection filtered in Wireshark.
LINKS IN THE EMAILS TO THE WORD DOCUMENT:
- hxxp[:]//coffeeforles[.]us?[encoded string]=[encoded string representing recipient's email address]
- hxxp[:]//eciggystore[.]com?[encoded string]=[encoded string representing recipient's email address]
- hxxp[:]//ecigsforless[.]com?[encoded string]=[encoded string representing recipient's email address]
- hxxp[:]//eleanorlarsonart[.]com?[encoded string]=[encoded string representing recipient's email address]
- hxxp[:]//hybriscoach[.]com?[encoded string]=[encoded string representing recipient's email address]
- hxxp[:]//planetfriendlycoffee[.]com?[encoded string]=[encoded string representing recipient's email address]
- hxxp[:]//planetfriendlywater[.]com?[encoded string]=[encoded string representing recipient's email address]
- hxxp[:]//quickkups[.]com?[encoded string]=[encoded string representing recipient's email address]
- hxxp[:]//royalconnection[.]org?[encoded string]=[encoded string representing recipient's email address]
- hxxp[:]//royalconnectioncoffee[.]com?[encoded string]=[encoded string representing recipient's email address]
- hxxp[:]//tikihut[.]coffee?[encoded string]=[encoded string representing recipient's email address]
- hxxp[:]//tikihutcafe[.]com?[encoded string]=[encoded string representing recipient's email address]
- hxxp[:]//tikihutcoffee[.]biz?[encoded string]=[encoded string representing recipient's email address]
- hxxp[:]//tikihutcoffee[.]us?[encoded string]=[encoded string representing recipient's email address]
- hxxp[:]//utahrates[.]com?[encoded string]=[encoded string representing recipient's email address]
NETWORK TRAFFIC FROM MY INFECTED LAB HOST:
- 119.28.100[.]108 port 80 - utahrates[.]com - GET /?[string of characters]=[encoded string representing recipient's email address]
- api.ipify[.]org - GET /
- 193.33.133[.]88 port 80 - andrejoter[.]com - POST /ls5/forum.php
- 193.33.133[.]88 port 80 - andrejoter[.]com - POST /mlu/forum.php
- 193.33.133[.]88 port 80 - andrejoter[.]com - POST /d2/about.php
- 85.13.155[.]85 port 80 - wingchun-giessen[.]de - GET /wp-content/uploads/2014/06/1
- 85.13.155[.]85 port 80 - wingchun-giessen[.]de - GET /wp-content/uploads/2014/06/2
- 82.202.166[.]125 port 443 - kedfortmoleft[.]ru - HTTPS/SSL/TLS traffic caused by Zeus Panda Banker
- www.google[.]com - HTTPS traffic, probably a connectivity check by infected Windows host
FILE HASHES
MALWARE RETRIEVED FROM THE INFECTED HOST:
- SHA256 hash: 9906d7cbd7675f3334ef91e3a63792180e149b07a5899b1e2f9be5dcc6e8a086
File size: 184,320 bytes
File name: invoice_[6 random digits].doc
File description: Word document with macro for Hancitor
- SHA256 hash: 103176ef8223aa3f3cbf0bce91019a1688258eeea257d9aa617b31676e373c86
File size: 174,592 bytes
File location: C:\Users\[username]\AppData\Roaming\[existing directory path]\[random name].exe
File description: Zeus Panda Banker
IMAGES
Shown above: Zeus Panda Banker persistent on the infected Windows host.
Click here to return to the main page.