Hancitor/Pony malspam

Published: 2017-02-10. Last Updated: 2017-02-18 01:44:14 UTC
by Brad Duncan (Version: 1)

Introduction

It's been one month since my last diary on malcious spam (malspam) with links to malicious Word documents containing Hancitor [1]. Back then, we saw Hancitor use Pony to download Vawtrak malware. Since then, I've seen indicators for this type of malspam on a near-daily basis.

Recently, these emails have stopped leading to Vawtrak. Instead, I'm now seeing malware that triggers alerts for Terdot.A [2, 3, 4, 5, 6, 7]. Tools from my employer identify this malware as DELoader, and a Google search indicates Terdot.A and DELoader are the same thing.

For now, I'm keeping my flow chart open on the final malware. With that in mind, let's take a look at some infection traffic generated on Thursday 2017-02-09 based on one of these emails.

Shown above: Flow chart for the infection process.

The email

These emails generally have different subject lines each day, and they have spoofed sending addresses. The example I saw on 2017-02-09 was a fake message about a money transfer. It's similar to a wave of malspam seen the day before.

Date: Thursday, 2017-02-09 16:05 UTC
Received: from polsinelli.com [spoofed host name]
Message-ID: <879081B3.F4FA76CC@polsinelli.com>
From: "Polsinelli LLP" <mlemon@polsinelli.com> [spoofed sender]
Subject: RE:RE: wife tf

The link from the email contains a base64-encoded string representing the recipient's email address. Based on that string, the downloaded file will have the recipient's name from the email address. I used a base64 string for a made-up email address and received a file named bofa_statement_marci.jones.doc.

Shown above: Fake money transfer email with link to a Word document.

The link from the malspam downloaded a Microsoft Word document. The document contains a malicious VB macro described as Hancitor, Chanitor or Tordal. I generally call it Hancitor. If you enable macros, the document retrieves a Pony downloader DLL. At first, I thought Pony was retrieving the DELoader malware; however, another researcher told me it's Hancitor that grabs DELoader. I haven't had time to investigate; however, I probably need to update my flowchart.

Shown above: Retrieving the Hancitor Word document from the email link.

Shown above: Enabling macros will activate Hancitor.

The traffic

Pattern-wise, URLs from this infection are similar to previous cases of Hancitor/Pony malspam reported I've seen during the past week or two.

Shown above: Infection traffic after activating macros in the Word document.

Alerts show post-infection traffic for Terdot.A/Zloader, which is consistent with recent infections I've seen for malware identified as DELoader.

Shown above: Alerts on the traffic using Security Onion with Suricata and the ETPRO ruleset.

Indicators of Compromise (IOCs)

Email link noted on Thursday 2017-02-09 to download the Hancitor Word document:

187.17.111.102 port 80 - www.jasa.adv.br - GET /api/get.php?id=[base64 string]

Traffic after enabling macros on the Word document:

api.ipify.org - GET / [IP address check]
91.226.93.57 port 80 - hadrylego.com - POST /ls5/forum.php [Hancitor callback]
91.226.93.57 port 80 - hadrylego.com - POST /klu/forum.php [Hancitor callback]
98.138.19.143 port 80 - caleduc.com - GET /blog/wp-content/themes/sketch/1 [call for Pony DLL]
104.196.224.112 port 80 - main-meats.com - GET /1 [call for Pony DLL]
199.204.248.138 port 80 - patsypie.com - GET /wp-content/themes/sketch/1 [call for Pony DLL]
98.138.19.143 port 80 - caleduc.com - GET /blog/wp-content/themes/sketch/a1 [call for DELoader]
104.196.224.112 port 80 - main-meats.com - GET /a1 [call for DELoader]
199.204.248.138 port 80 - patsypie.com - GET /wp-content/themes/sketch/a1 [call for DELoader]
91.221.37.160 port 80 - ughtoftritret.ru - POST /bdk/gate.php [DELoader callback]