Hancitor Word Document Installing CobaltStrike Hacking Tool in AD Environment

Hancitor is a downloader malware distributed through spam mails, which has been steadily distributed since 2016. Recently, a type that installs CobaltStrike through additional payloads is being distributed, therefore, the users must take caution.

The malware is distributed via attachment files or download links in spam mail and it usually targets Microsoft Office document files. The recently discovered type is a Word document file with a malicious VBA macro included. When the document is opened, the following image is displayed. Using the social engineering technique, the file prompts the user to enable macro by clicking the ‘Enable Content’ button.

Prompting a user to enable macro

When the macro button is clicked, the malicious DLL file within the ‘Ole10Native’ object inside the document is created in the %temp%furmt.f directory. Upon looking at the ‘Ole10Native’ object shown below, there is the directory that the malicious DLL file will be dropped as well as its MZ signature.

Directory and the Hancitor DLL binary existing in the OLE object

The VBA macro then moves the malicious DLL file existing in the ‘%temp%furmt.f’ directory to ‘\AppData\Roaming\Microsoft\Word\jers.dll’ and runs it by using rundll32.exe.

VBA macro routine for running Hancitor DLL

The executed DLL file has been packed and will run the actual Hancitor DLL in memory after decoding it. Hancitor is a downloader malware with a small size of 25KB. After it obtains basic information of the infected PC such as user and computer names, IP address, and the OS version, it will deliver the information to the C&C server. There are currently three C&C servers for this malware, and it attempts to connect to each server in order. When it fails, it tries to connect to the next C&C server.

Hancitor C&C URL
– hxxp://sumbahas[.]com/8/forum.php
– hxxp://staciterst[.]ru/8/forum.php
– hxxp://semareake[.]ru/8/forum.php

C&C Server List

When the following user information is sent to C&C server, BASE64 and additionally encrypted strings are received.

Sending the infected PC information to C&C server

When the strings received are decoded, the following {‘Command Type’: ‘URL’} string format will be shown.

Decoded C&C command

For the received commands, Hancitor performs each action under the following conditional statements. As the current command is ‘b,’ it downloads PE from the received URL and injects it to a newly created svchost.exe process.

Hancitor’s command perform routine

Normally, C&C servers send the payload of an info-stealer malware named FickerStealer. So inside the newly created svchost.exe is a FickerStealer payload that operates and attempts to steal information.

Downloading and running FickerStealer

In the company environment (Active Directory environment), Hancitor is known to install CobaltStrike instead of FickerStealer. Indeed, when Hancitor is run in the AD environment, it receives different commands as shown below.

C&C commands received in the AD environment

The first is FickerStealer shown above, and the other two commands are the Stager shellcodes which download the actual backdoor malware Beacon. FickerStealer is downloaded and ran following the same ‘b’ command as before. Since Stager is a shellcode, it uses the ‘I’ command. Each Stager downloads Beacon and injects it into svchost.exe, meaning two CobaltStrike beacons will operate in the infected PC.

Hancitor Download URL
– First Cobalt Strike Stager Download URL: hxxp://kuragnda2[.]ru/2804.bin
– Second Cobalt Strike Stager Download URL: hxxp://kuragnda2[.]ru/2804s.bin
– FickerStealer Download URL: hxxp://kuragnda2[.]ru/6fsjd89gdsug.exe

Cobalt Strike Stager Download URL
– First Cobalt Strike Beacon Download URL: hxxp://45.170.245[.]190/qbU4
– Second Cobalt Strike Beacon Download URL: hxxp://45.170.245[.]190/dO1x

Cobalt Strike Beacon C&C URL
– First Cobalt Strike Beacon C&C: hxxp://45.170.245[.]190/visit.js
– Second Cobalt Strike Beacon C&C: hxxp://45.170.245[.]190/activity

FickerStealer C&C URL
– hxxp://sweyblidian[.]com

Downloading and running CobaltStrike

The Hancitor malware is distributed via spam e-mail. Therefore, when there is a suspicious-looking email in the inbox, users must refrain from opening the attachment files within the e-mail. Also, V3 should be updated to the latest version so that malware infection can be prevented.

AhnLab products come with process memory-based detection method and behavior-based detection feature against the beacon backdoor which is used from the Cobalt Strike’s initial invasion stage to spread internally.

[File Detection]
– Downloader/Win.Hancitor.R418362 (2021.04.30.01) – Word Document File and Hancitor DLL.
– Dropper/MSOffice.Generic (2021.05.01.01) – Word Document File.
– Infostealer/Win.FickerStealer.R352614 (2020.10.05.04) – FickerStealer existing in memory
– Trojan/Win.CobaltStrike.R417512 (2021.04.24.03) – CobaltStrike Beacon existing in memory

[Behavior Detection]
– Malware/MDP.Execute.M363

[IOC]
File

– Word Document File: 693df6e9f5dc0cd3ed4c6ede503ce8bc
– Hancitor DLL: 5122d19bed77851f85775793e34bff09
– FickerStealer: 77be0dd6570301acac3634801676b5d7

Hancitor C&C
– hxxp://sumbahas[.]com/8/forum.php
– hxxp://staciterst[.]ru/8/forum.php
– hxxp://semareake[.]ru/8/forum.php

FickerStealer C&C
– hxxp://sweyblidian[.]com

Cobalt Strike
– hxxp://kuragnda2[.]ru/2804.bin
– hxxp://kuragnda2[.]ru/2804s.bin
– hxxp://45.170.245[.]190/qbU4
– hxxp://45.170.245[.]190/dO1x
– hxxp://45.170.245[.]190/visit.js
– hxxp://45.170.245[.]190/activity

5 1 vote
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments