Hancitor (AKA Chanitor and TorDal) is a downloader-type malware – out there for almost two years now. Downloaders contact the C2 servers after establishing an initial foothold on the victim's machine – downloading and installing Trojans, bots and other kinds of malware.
Last May malware researchers at Proofpoint revealed that they observed the re-emergence of Hancitor.
This specific downloader has three core capabilities:
- Downloading and executing an exe file from a URL
- Downloading a DLL from a URL and executing it without writing it to the disk, but by writing it directly to the memory space of the downloader
- Deleting itself
Any of those commands may be received by the downloader after transmitting a "beacon" HTTP post request to the C2 server. This request includes basic fingerprinting info unique to each endpoint and enables the attacker to easily manage the machines of many victims concurrently while possibly infecting different endpoints with different types of malware in later infection stages.
The Augmented Hancitor
Last week we were contacted by one of our clients after he received a notification from one of Minerva's agents.
A short forensic analysis enabled us to trace a phishing email containing a malicious attachment titledCompanyPublicMailServer.com_contract. We assumed that this is a wide Dridex-style spam based infection campaign and indeed a simple search in a publicly available sandbox proved that this was a pattern as we were able to find over 20 different malicious documents similar to the one sent to our clients:
The malicious Microsoft Word .doc attachment had an embedded VBA macro script with a short message aimed at luring the victim to enable the execution of the script.
Unlike the document used to drop Hancitor in Proofpoint's investigations our sample had some extra features:
- Handling x86/x64 architectures seamlessly – including adaptation of pointers and imported functions:
These characteristics greatly increase the chances of successfully infecting the victim's machine, saving noisy crashes of the macro as a bonus.
- Using CallWindowProcA Windows API to execute a code written to the heap – As explained in Waleed Assar's blog – it allows the malware to avoid suspicious API calls as ShellExecute and CreateProcess and the need to write this intermediate shellcode-like dropper stage to the disk. It is uncommon to see this technique implemented in VBA script, however – it is used by .exe files in the wild at least since Citadel.
Now, Hancitor is finally running. On its initial execution it is running under a random looking hard coded name (we observed bg618.exe and lj016.exe) from the %TEMP% folder. It then creates another instance of itself and uses process hollowing to unpack itself to its new instance. The unpacked executable copies Hancitor to either the system or temporary folder under the name WinHost32.exeHancitor then executes the binary under its new name and deletes the old one. It is also taking care of achieving persistency by creating a registry value under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. From now on, each time it will be executed under the new name the following mechanism will kick in:
This is a simple test that determines if the file is executed for the first time and will gain persistency, or if it is already installed and should initiate its core functionality as a downloader - Hancitor now connects back to its C2 servers in order to download and execute malware. The communication with the C2 server was similar to the pattern described in Proofpoint's report. A "beacon" signal was sent with unique identifiers of the victim:
Just as we saw in the "old" Hancitor, our new version is able to receive commands to download and execute malware. We compared the binaries, trying to figure out if there are any changes between Proofpoint's Hancitor and ours and we found one key difference: Support for a new command-type was added – "b".
Reverse engineering the function that handles it led us to the conclusion that it is used to execute code downloaded from a URL. However, instead of simply executing it or writing it to Hancitor's memory space it injects it to a svchost.exe process
Proofpoint's researchers predicted that downloaders will get more complex, absorbing functionality of later stages in the infection process – our findings certainly support their assertions.
Payloads – More of the Same
After allowing the Hancitor sample to run in a controlled environment we were able to intercept it and downloaded a couple of modules. Both modules were downloaded from WordPress and Joomla! sites, possibly exploited to store the malicious content.
The first payload we observed was a Pony info-stealer Trojan (VT):
After downloading it directly to Hancitor's memory it was executed in a new thread and started to monitor a vast range of collectible data:
- Email passwords (SMTP, POP3, IMAP)
- Other web protocols passwords (HTTP, FTP, NNTP)
- Enumerating keys in HKEY_CURRENT_USER\Software\Microsoft\Office\1x.0\Outlook\Profiles leading to the users PST files
- More registry keys related to outlook accounts.
Comparing this sample to older Pony from April to early July resulted in little to no difference. Even though some of the C2 URLs were changed, we discovered that they resolve to the same IP addresses used in previous campaign. This is our sample, resolving bettitotuld[.]com:
Going through Passive Total's data showed that at least four extra URLs linking this IP to previous Pony campaigns:
In both the old and the new Pony samples the path to the gate was always the same, accessing it in the /zapoy/gate.php path. Curious what Zapoy means we opened our Russian dictionary and found two possible explanations: The first one translates zapoy as the Russian term for a state of continuous drunkenness. The other meaning is slang for "start to sing".
After this short lesson in Russian slang we went back to check how Hancitor is doing and found that our sample downloaded and executed another component:
This file, 45.exe, is a spam bot which was executed after being written to the disk (unlike Pony's DLL).
After a short "chat" over UDP with its C2 server the bot started to resolve the addresses of SMTP servers and connect to them over port 25:
It is also worth mentioning that this bot has a separate persistency mechanism than Hancitor's, installing itself as a service under the name "s3svc".
A Short Summary and Conclusions
The new version of Hancitor is just another phase on the evolution of downloaders from a simple “check-updates-download-execute” loop to a complex and more advanced malware. In this example we had the chance to observe the full chain from a phishing email to a Trojan:
This complex mechanism is a result of the current security products landscape – each evasive maneuver is tweaked to avoid a specific class of products. Minerva Anti-Evasion Platform, preventing any damage by this and other malware attack by exploiting malware evasive nature against it self.
Infected Word Documents