Hancitor/Pony malspam

Published: 2017-02-10
Last Updated: 2017-02-18 01:44:14 UTC
by Brad Duncan (Version: 1)
0 comment(s)

Introduction

It's been one month since my last diary on malcious spam (malspam) with links to malicious Word documents containing Hancitor [1].  Back then, we saw Hancitor use Pony to download Vawtrak malware.  Since then, I've seen indicators for this type of malspam on a near-daily basis.

Recently, these emails have stopped leading to Vawtrak.  Instead, I'm now seeing malware that triggers alerts for Terdot.A [2, 3, 4, 5, 6, 7].  Tools from my employer identify this malware as DELoader, and a Google search indicates Terdot.A and DELoader are the same thing.

For now, I'm keeping my flow chart open on the final malware.  With that in mind, let's take a look at some infection traffic generated on Thursday 2017-02-09 based on one of these emails.


Shown above: Flow chart for the infection process.

The email

These emails generally have different subject lines each day, and they have spoofed sending addresses.  The example I saw on 2017-02-09 was a fake message about a money transfer.  It's similar to a wave of malspam seen the day before.

  • Date:  Thursday, 2017-02-09 16:05 UTC
  • Received:  from polsinelli.com   [spoofed host name]
  • Message-ID:  <879081B3.F4FA76CC@polsinelli.com>
  • From:  "Polsinelli LLP" <mlemon@polsinelli.com>   [spoofed sender]
  • Subject:  RE:RE: wife tf

The link from the email contains a base64-encoded string representing the recipient's email address.  Based on that string, the downloaded file will have the recipient's name from the email address.  I used a base64 string for a made-up email address and received a file named bofa_statement_marci.jones.doc.


Shown above:  Fake money transfer email with link to a Word document.

The link from the malspam downloaded a Microsoft Word document.  The document contains a malicious VB macro described as Hancitor, Chanitor or Tordal.  I generally call it Hancitor.  If you enable macros, the document retrieves a Pony downloader DLL.  At first, I thought Pony was retrieving the DELoader malware; however, another researcher told me it's Hancitor that grabs DELoader.  I haven't had time to investigate; however, I probably need to update my flowchart.


Shown above:  Retrieving the Hancitor Word document from the email link.


Shown above:  Enabling macros will activate Hancitor.

The traffic

Pattern-wise, URLs from this infection are similar to previous cases of Hancitor/Pony malspam reported I've seen during the past week or two.


Shown above:  Infection traffic after activating macros in the Word document.

Alerts show post-infection traffic for Terdot.A/Zloader, which is consistent with recent infections I've seen for malware identified as DELoader.


Shown above:  Alerts on the traffic using Security Onion with Suricata and the ETPRO ruleset.

Indicators of Compromise (IOCs)

Email link noted on Thursday 2017-02-09 to download the Hancitor Word document:

  • 187.17.111.102 port 80 - www.jasa.adv.br - GET /api/get.php?id=[base64 string]

Traffic after enabling macros on the Word document:

  • api.ipify.org - GET /   [IP address check]
  • 91.226.93.57 port 80 - hadrylego.com - POST /ls5/forum.php   [Hancitor callback]
  • 91.226.93.57 port 80 - hadrylego.com - POST /klu/forum.php   [Hancitor callback]
  • 98.138.19.143 port 80 - caleduc.com - GET /blog/wp-content/themes/sketch/1   [call for Pony DLL]
  • 104.196.224.112 port 80 - main-meats.com - GET /1   [call for Pony DLL]
  • 199.204.248.138 port 80 - patsypie.com - GET /wp-content/themes/sketch/1   [call for Pony DLL]
  • 98.138.19.143 port 80 - caleduc.com - GET /blog/wp-content/themes/sketch/a1   [call for DELoader]
  • 104.196.224.112 port 80 - main-meats.com - GET /a1   [call for DELoader]
  • 199.204.248.138 port 80 - patsypie.com - GET /wp-content/themes/sketch/a1   [call for DELoader]
  • 91.221.37.160 port 80 - ughtoftritret.ru - POST /bdk/gate.php   [DELoader callback]

Associated file hashes:

Final words

As this campaign progresses, IOCs will continue to change, and I'm sure traffic patterns will continue to evolve.

Pcap and malware for this diary can be found here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

References:

[1] https://isc.sans.edu/forums/diary/HancitorPonyVawtrak+malspam/21919
[2] http://malware-traffic-analysis.net/2017/01/25/index2.html
[3] http://malware-traffic-analysis.net/2017/01/30/index2.html
[4] http://malware-traffic-analysis.net/2017/01/31/index3.html
[5] http://malware-traffic-analysis.net/2017/02/01/index.html
[6] http://malware-traffic-analysis.net/2017/02/06/index2.html
[7] http://malware-traffic-analysis.net/2017/02/07/index.html

0 comment(s)
ISC Stormcast For Friday, February 10th 2017 https://isc.sans.edu/podcastdetail.html?id=5369

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives