2018-02-13 - HANCITOR MALSPAM - FAKE QUILL CREDIT CARD CHARGE
ASSOCIATED FILES:
- Zip archive of the traffic: 2018-02-13-Hancitor-malspam-infection-traffic.pcap.zip 565 kB (565,310 bytes)
- 2018-02-13-Hancitor-malspam-infection-traffic.pcap (803,943 bytes)
- Zip archive of the emails: 2018-02-13-Hancitor-malspam-8-email-examples.txt.zip 1.6 kB (1,636 bytes)
- 2018-02-13-Hancitor-malspam-8-email-examples.txt (11,119 bytes)
- Zip archive of the malware: 2018-02-13-Hancitor-infection-malware-and-artifacts.zip 280 kB (280,450 bytes)
- 2018-02-13-Hancitor-maldoc-invoice_325399.doc (311,296 bytes)
- 2018-02-13-Zeus-Panda-Banker.exe (126,976 bytes)
NOTES:
- I saw someone say this campaign may now be using domain shadowing, but I don't think that's the case.
- Two of the domains to retrieve Pony, Evil Pony, and Zeus Panda Banker start with a "mail." prefix, but they still use the same IP addresses as their associated web sites.
- From what I understand, domain shadowing is a way to use valid domains for malicious servers hosted on other IP addresses.
- These web servers are still compromised. Take away the "mail." prefix, and the URLs still retrieve malware from the compromised web sites.
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domains and URLs:
- area-connection[.]net
- contactworks[.]biz
- mynexgreen[.]com
- nexgreen[.]net
- nexgreenlawn[.]com
- roc-inc[.]net
- sultenworks[.]com
- trentoncable[.]net
- hxxp://mail.bestnewantiwrinklecream[.]com/wp-content/plugins/jetpack/modules/1
- hxxp://mail.bestnewantiwrinklecream[.]com/wp-content/plugins/jetpack/modules/2
- hxxp://mail.bestnewantiwrinklecream[.]com/wp-content/plugins/jetpack/modules/3
- hxxp://mail.seadustfilms[.]com/wp-content/plugins/maxbuttons/includes/1
- hxxp://mail.seadustfilms[.]com/wp-content/plugins/maxbuttons/includes/2
- hxxp://mail.seadustfilms[.]com/wp-content/plugins/maxbuttons/includes/3
- hxxp://www.digitaldream[.]rs/wp-content/plugins/gallery-plugin/1
- hxxp://www.digitaldream[.]rs/wp-content/plugins/gallery-plugin/2
- hxxp://www.digitaldream[.]rs/wp-content/plugins/gallery-plugin/3
- thattahitin[.]com
- parwithutfi[.]ru
- houndlinggot[.]ru
- bulighhesin[.]ru
EMAILS
Shown above: Screenshot from one of the emails.
EMAIL HEADERS:
- Date/Time: Tuesday 2018-02-13 as early as 16:19 through at least 18:55 UTC
- Subject: You have a new Quill[.]com Credit Card Purchase Receipt
- From (spoofed): "Quill[.]com" <Invoice@quil1[.]com>
- Received: from quil1[.]com ([50.252.95[.]129])
- Received: from quil1[.]com ([70.55.226[.]153])
- Received: from quil1[.]com ([75.110.186[.]234])
- Received: from quil1[.]com ([96.61.127[.]2])
- Received: from quil1[.]com ([96.68.44[.]105])
- Received: from quil1[.]com ([206.40.111[.]53])
- Received: from quil1[.]com ([207.201.210[.]82])
- Received: from quil1[.]com ([216.218.189[.]211])
Shown above: Malicious Word document downloaded from a link in the malspam.
TRAFFIC
Shown above: Traffic from an infection filtered in Wireshark.
LINKS IN THE EMAILS TO THE WORD DOCUMENT:
- hxxp://contactworks[.]biz?[string of characters]=[encoded string representing recipient's email address]
- hxxp://MYNEXGREEN[.]COM?[string of characters]=[encoded string representing recipient's email address]
- hxxp://nexgreen[.]net?[string of characters]=[encoded string representing recipient's email address]
- hxxp://sultenworks[.]com?[string of characters]=[encoded string representing recipient's email address]
- hxxp://trentoncable[.]net?[string of characters]=[encoded string representing recipient's email address]
NETWORK TRAFFIC FROM MY INFECTED LAB HOST:
- 92.53.77[.]166 port 80 - nexgreen[.]net - GET /?[string of characters]=[encoded string that includes info on recipient's email address]
- api.ipify[.]org - GET /
- 185.36.102[.]227 port 80 - thattahitin[.]com - POST /ls5/forum.php
- 185.36.102[.]227 port 80 - thattahitin[.]com - POST /mlu/forum.php
- 185.36.102[.]227 port 80 - thattahitin[.]com - POST /d2/about.php
- 173.254.71[.]118 port 80 - mail.bestnewantiwrinklecream[.]com - GET /wp-content/plugins/jetpack/modules/1
- 173.254.71[.]118 port 80 - mail.bestnewantiwrinklecream[.]com - GET /wp-content/plugins/jetpack/modules/2
- 173.254.71[.]118 port 80 - mail.bestnewantiwrinklecream[.]com - GET /wp-content/plugins/jetpack/modules/3
- 185.211.247[.]31 port 443 - bulighhesin[.]ru - HTTPS/SSL/TLS traffic caused by Zeus Panda Banker
- www.google[.]com - HTTPS traffic, probably a connectivity check by infected Windows host
FILE HASHES
MALWARE RETRIEVED FROM THE INFECTED HOST:
- SHA256 hash: 2101f58099128c1192da4373458e425e816fe3761bc2834423dfdb3944a939fe
File size: 311,296 bytes
File name: invoice_325399.doc [any six random digits for the numbers]
File description: Word document with macro for Hancitor
- SHA256 hash: 814e74e42d760b3f2ed66346156114122e7d2f9c209f9c51a97eb367e8d23d2b
File size: 126,976 bytes
File location: C:\Users\[username]\AppData\Roaming\[existing directory path]\[random name].exe
File description: Zeus Panda Banker
IMAGES
Shown above: Zeus Panda Banker persistent on the infected Windows host.
Click here to return to the main page.