Hancitor is a downloader malware distributed through spam mails, which has been steadily distributed since 2016. Recently, a type that installs CobaltStrike through additional payloads is being distributed, therefore, the users must take caution.
The malware is distributed via attachment files or download links in spam mail and it usually targets Microsoft Office document files. The recently discovered type is a Word document file with a malicious VBA macro included. When the document is opened, the following image is displayed. Using the social engineering technique, the file prompts the user to enable macro by clicking the ‘Enable Content’ button.

When the macro button is clicked, the malicious DLL file within the ‘Ole10Native’ object inside the document is created in the %temp%furmt.f directory. Upon looking at the ‘Ole10Native’ object shown below, there is the directory that the malicious DLL file will be dropped as well as its MZ signature.

The VBA macro then moves the malicious DLL file existing in the ‘%temp%furmt.f’ directory to ‘\AppData\Roaming\Microsoft\Word\jers.dll’ and runs it by using rundll32.exe.

The executed DLL file has been packed and will run the actual Hancitor DLL in memory after decoding it. Hancitor is a downloader malware with a small size of 25KB. After it obtains basic information of the infected PC such as user and computer names, IP address, and the OS version, it will deliver the information to the C&C server. There are currently three C&C servers for this malware, and it attempts to connect to each server in order. When it fails, it tries to connect to the next C&C server.
Hancitor C&C URL
– hxxp://sumbahas[.]com/8/forum.php
– hxxp://staciterst[.]ru/8/forum.php
– hxxp://semareake[.]ru/8/forum.php

When the following user information is sent to C&C server, BASE64 and additionally encrypted strings are received.

When the strings received are decoded, the following {‘Command Type’: ‘URL’} string format will be shown.

For the received commands, Hancitor performs each action under the following conditional statements. As the current command is ‘b,’ it downloads PE from the received URL and injects it to a newly created svchost.exe process.

Normally, C&C servers send the payload of an info-stealer malware named FickerStealer. So inside the newly created svchost.exe is a FickerStealer payload that operates and attempts to steal information.

In the company environment (Active Directory environment), Hancitor is known to install CobaltStrike instead of FickerStealer. Indeed, when Hancitor is run in the AD environment, it receives different commands as shown below.

The first is FickerStealer shown above, and the other two commands are the Stager shellcodes which download the actual backdoor malware Beacon. FickerStealer is downloaded and ran following the same ‘b’ command as before. Since Stager is a shellcode, it uses the ‘I’ command. Each Stager downloads Beacon and injects it into svchost.exe, meaning two CobaltStrike beacons will operate in the infected PC.
Hancitor Download URL
– First Cobalt Strike Stager Download URL: hxxp://kuragnda2[.]ru/2804.bin
– Second Cobalt Strike Stager Download URL: hxxp://kuragnda2[.]ru/2804s.bin
– FickerStealer Download URL: hxxp://kuragnda2[.]ru/6fsjd89gdsug.exe
Cobalt Strike Stager Download URL
– First Cobalt Strike Beacon Download URL: hxxp://45.170.245[.]190/qbU4
– Second Cobalt Strike Beacon Download URL: hxxp://45.170.245[.]190/dO1x
Cobalt Strike Beacon C&C URL
– First Cobalt Strike Beacon C&C: hxxp://45.170.245[.]190/visit.js
– Second Cobalt Strike Beacon C&C: hxxp://45.170.245[.]190/activity
FickerStealer C&C URL
– hxxp://sweyblidian[.]com

The Hancitor malware is distributed via spam e-mail. Therefore, when there is a suspicious-looking email in the inbox, users must refrain from opening the attachment files within the e-mail. Also, V3 should be updated to the latest version so that malware infection can be prevented.
AhnLab products come with process memory-based detection method and behavior-based detection feature against the beacon backdoor which is used from the Cobalt Strike’s initial invasion stage to spread internally.
[File Detection]
– Downloader/Win.Hancitor.R418362 (2021.04.30.01) – Word Document File and Hancitor DLL.
– Dropper/MSOffice.Generic (2021.05.01.01) – Word Document File.
– Infostealer/Win.FickerStealer.R352614 (2020.10.05.04) – FickerStealer existing in memory
– Trojan/Win.CobaltStrike.R417512 (2021.04.24.03) – CobaltStrike Beacon existing in memory
[Behavior Detection]
– Malware/MDP.Execute.M363
[IOC]
File
– Word Document File: 693df6e9f5dc0cd3ed4c6ede503ce8bc
– Hancitor DLL: 5122d19bed77851f85775793e34bff09
– FickerStealer: 77be0dd6570301acac3634801676b5d7
Hancitor C&C
– hxxp://sumbahas[.]com/8/forum.php
– hxxp://staciterst[.]ru/8/forum.php
– hxxp://semareake[.]ru/8/forum.php
FickerStealer C&C
– hxxp://sweyblidian[.]com
Cobalt Strike
– hxxp://kuragnda2[.]ru/2804.bin
– hxxp://kuragnda2[.]ru/2804s.bin
– hxxp://45.170.245[.]190/qbU4
– hxxp://45.170.245[.]190/dO1x
– hxxp://45.170.245[.]190/visit.js
– hxxp://45.170.245[.]190/activity
Categories:Malware Information