<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=179060&amp;fmt=gif">

Minerva Labs Blog

News & Reports

Updated Hancitor Malware Slings Cobalt Strike

A report by Unit 42 uncovered recent malicious activity by TA511. The threat actor added Cobalt Strike to its repertoire which is used in Active Directory environments. Initial foothold of TA511 is achieved through a malicious Word document that drops an Hancitor sample in the form of a DLL file and executes it using rundll32, a common Living Off the Land technique used in malicious Office files.

The first-stage DLL will communicate relevant information to the C&C about the infected device, which will trigger the download of the next payload. The payloads observed by Palo Alto’s researchers are: 

  • Ficker Stealer – MaaS Stealer previously covered in our blog
  • Cobalt Strike – the notorious adversary simulation software commonly abused by threat actors. 

The packer employed by the Hancitor sample we analyzed is quite similar to the one used by an Emotet sample described in this blog. Both pieces of malware query the registry key HKEY_CLASSES_ROOT \interface\{aa5b6a80-b834-11d0-932f-00a0c90dcaa9} and will enter an infinite loop if the 4th character in its default key is not the letter ‘t’, this effectively verifies that the key’s value is the Windows default “IActiveScriptParseProcedure32”.

The Registry Interface Name Check

The registry interface name check

Another evasion technique employed by the packer is the use of uncommon Windows APIs with invalid parameters. The malware calls LoadIconA, LoadCursorW and GetEnhMetaFileBits in an inappropriate manner and will self-terminate if the function does not fail in a specific way. Our guess is that this is an anti-emulation technique which rely on a difference of implementation between the actual OS and the emulator.

Anti-emulation in HancitorAnti-emulation in Hancitor

Hancitor evolved and became more evasive since our 2016 blog post and considering the vacuum left by Emotet’s demise it is now a prime candidate to fill the gap in the malicious downloaders market. Minerva Prevents both the malicious document and Hancitor’s subsequent payloads:

 

IOCs:

e020851d5c3b66662ef70b47f23365a9d922d1b289634c4dddea047a6fd770e9

 

To learn more about how Minerva Labs helps blocks malicious payloads from Hancitor and other malware, contact us for a full demo.

Interested in Minerva? Request a Demo Below

Stay Informed

Sign up for the Minerva newsletter and stay on top of the latest cybersecurity news.

Topics

see all