Hancitor Banking Trojan is Back | Using Malicious Word Attachment

The Hancitor trojan, also known as Chanitor, is a downloader first observed in 2014. Back then, it distributed its payload via a Microsoft Word document email attachment with embedded malicious macros. Over the years, several flavors have been seen in the wild using a variety of infection techniques. A few examples:

  1. A macro in an attached document contains encoded shellcode and uses native API calls within Visual Basic (VB) to pass execution, carving out and decrypting the embedded malware.
  2. Another flavor seen in the wild involves a malicious attachment that drops an additional payload to download the Pony/Evil Pony fileless malware or Zeus/Vawtrak executables, which then steals data and connects to a C2 server.

The Hancitor trojan typically uses phishing emails as an infection method. Several phishing email campaigns delivered bogus parking ticket notifications. The message requests the recipient to click the link to pay their ticket and directs the victim to a malicious Microsoft Word document.

Another common email spam seen is originating from Intuit or HalloFax, encourages the user to download a fax, which then triggers the infection.

Credit: https://www.malware-traffic-analysis.net

SentinelOne Detecting Hancitor Demo



Recent Hancitor distribution URLs

hxxp://altilium.com
hxxp://altilium.net
hxxp://autoaccidentplaintiff.com
hxxp://braininjuryplaintiff.com
hxxp://dryerventwizardcanada.co
hxxp://dryerventwizardcanada.net
hxxp://dryerventwizardcanada.org
hxxp://getlintout.mobi
hxxp://getlintout.net
hxxp://getlintout.org
hxxp://getthelintout.info
hxxp://keystoneacres.org
hxxp://newjerseyplaintiff.com
hxxp://newyorkplaintiff.com
hxxp://pbtmail.com
hxxp://slipandfallplaintiff.com
hxxp://thedryerventwizard.biz
hxxp://thedryerventwizard.ca
hxxp://wegetthelintout.ca
hxxp://wegetthelintout.net
hxxp://autoaccidentplaintiff.com
hxxp://beaconhcg.com
hxxp://bingjcarbone.com
hxxp://dryerventwizard.biz
hxxp://dryerventwizardcanada.co
hxxp://dryerventwizardcanada.info
hxxp://dryerventwizardcanada.net
hxxp://getlintout.info
hxxp://getlintout.net
hxxp://getlintout.org
hxxp://leadershipinstyle.com
hxxp://lightstonemed.com
hxxp://lightstonemedical.com
hxxp://myventbiz.com
hxxp://newjerseyplaintiff.com
hxxp://newyorkplaintiff.com
hxxp://theventwizards.com
hxxp://ventwizards.com
hxxp://woundsuckers.com

HANCITOR C2
hxxp://onerefrepnot.com/4/forum.php
hxxp://talighutsin.ru/4/forum.php
hxxp://undsuphesgot.ru/4/forum.php
hxxp://heghihedning.com/4/forum.php
hxxp://parhowtorshim.ru/4/forum.php
hxxp://leftsihemper.ru/4/forum.php

PONY / EVILPONY / PANDA BANKER PAYLOAD URLS
hxxp://aakaii.com/wp-content/plugins/post-thumbnail-editor/2
hxxp://aakaii.com/wp-content/plugins/post-thumbnail-editor/1
hxxp://aakaii.com/wp-content/plugins/post-thumbnail-editor/3

PONY / EVIL PONY C2
hxxp://onerefrepnot.com/mlu/forum.php
hxxp://onerefrepnot.com/d2/about.php

Like this article? Follow us on LinkedInTwitter, or Facebook to see the content we post.
Want to see how SentinelOne can help improve your security efforts? Request a Demo Now

The post Hancitor Banking Trojan is Back | Using Malicious Word Attachment appeared first on SentinelOne.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *