In this article, we present a Hancitor attack campaign that was delivered through a malicious email that impersonates DocuSign. Hancitor (also known as Chanitor) is an information stealer and a malware loader, which is used to download other crimeware, such as Flicker stealer and Cobalt Strike.
In this campaign, the attacker conceals the malicious payload by embedding it inside a word document.
The Hancitor Malware Delivery.
In this campaign, each time the users receive the attack email, it is sent from a different source IP address and a different sender address. However, the emails are always sent from the same 5 domains: loriseddieauto.com, hollingsworth-engineering.com, coburgbanks.com, christianporn.com, cokoladovefontany.com.
In all attack emails, the display name was changed to “DocuSign Signature Services” and the subject of the email informs on a new invoice received through DocuSign, as can be seen here:
The “sign document” button always contains a feedproxy link, and redirects to a download page, which automatically downloads a doc file.
When opening the doc file, we found nothing but this picture:
The picture instructs the user to click on “enable editing, after which a VBA macro code automatically runs. This is a known technique used to solicit the user into activating the malware. The malicious macro runs an embedded DLL which is included inside the document and is hidden by reducing its size in the document to almost zero.
Macro code analysis.
The macros are obfuscated in order to make it harder to analyze the code and reduce the risk of being detected by static engines.
First, the attacker declares the function ShelllExecuteA from the shell32 library:
The macros select the embedded hidden DLL in the document itself and copy it – by using the command “Selection.Copy”. The file then appears in the “%temp%” directory and the attacker is able to use it.
In this obfuscated function, the attacker has created a loop that runs until finding the path:
Then, the DLL is copied from the %temp% folder to “c:\users\***\appdata\roaming\microsoft\templates\”and renamed to “niberius.dll” using this function:
By using the “gc” function from above the attacker uses ShellExecuteA and runs the command:
Using Process Explorer, we were able to see that a child process (rundll32.exe) was created under WINWORD.EXE and runs the command from above.
Post Malware Execution.
After execution, we observed the network traffic and determined that the niberius.dll establishes a connection to a C&C (command & control) server (mancause[.]ru/8/forum[.]php – 126.96.36.199) and waits for a delivery of additional malware.
The DLL then attempts to download an additional malware from the C&C server – Hancitor loaders usually download malware such as FickerStealer, Sendsafe, and Cobalt Strike Beacon.
A full analysis on this instance of the Hancitor malware was written by Brandon George,
can be found here.
- Educate your employees to always check the authenticity of the sender by checking if the display name and the email address match in order to decrease the chance of a successful spoofing attempt.
- Be aware of the risk of browsing to unknown URLs and downloading files from them.
- Use an advanced email security solution with dynamic and static scanning combined with the recursive unpacking of files, in order to reduce the risk of infecting the endpoint with malware.
List of doc hashes (SHA256):
List of ‘nimb.dll’ hashes (SHA256):
List of C&C servers (SHA256):
http[:]//hosouggs[.]com/8/forum[.]php - 188.8.131.52
http[:]//mancause[.]ru/8/forum[.]php - 184.108.40.206