Hancitor Making Use of Cookies to Forestall URL Scraping

0
104

[ad_1]

This weblog was written by Vallabh Chole & Oliver Devane
Through the years, the cybersecurity trade has seen many threats get taken down, such because the Emotet takedown in January 2021. It doesn’t normally take lengthy for an additional menace to try to fill the hole left by the takedown. Hancitor is one such menace.
Like Emotet, Hancitor can ship Malspams to unfold itself and infect as many customers as doable. Hancitor’s important objective is to distribute different malware akin to FickerStealer, Pony, CobaltStrike, Cuba Ransomware and Zeppelin Ransomware. The dropped Cobalt Strike beacons can then be used to maneuver laterally across the contaminated surroundings and in addition execute different malware akin to ransomware.
This weblog will give attention to a brand new approach utilized by Hancitor created to forestall crawlers from accessing malicious paperwork used to obtain and execute the Hancitor payload.
The an infection movement of Hancitor is proven beneath:

A sufferer will obtain an electronic mail with a pretend DocuSign template to entice them to click on a hyperlink. This hyperlink leads him to feedproxy.google.com, a service that works much like an RSS Feed and allows website house owners to publish website updates to its customers.

When accessing the hyperlink, the sufferer is redirected to the malicious website. The positioning will examine the Consumer-Agent of the browser and if it’s a non-Home windows Consumer-Agent the sufferer will probably be redirected to google.com.
If the sufferer is on a home windows machine, the malicious website will create a cookie utilizing JavaScript after which reload the location.
The code to create the cookie is proven beneath:

The above code will write the Timezone to worth ‘n’ and the time offset to UTC in worth ‘d’ and set it into cookie header for an HTTP GET Request.
For instance, if this code is executed on a machine with timezone set as BST the values can be:
d = 60
n = “Europe/London”
These values could also be used to forestall additional malicious exercise or deploy a special payload relying on geo location.
Upon reloading, the location will examine if the cookie is current and whether it is, it’ll current them with the malicious doc.
A WireShark seize of the malicious doc which incorporates the cookie values is proven beneath:

The doc will immediate them to allow macros and, when enabled, it’ll obtain the Hancitor DLL after which load it with Rundll32.

Hancitor will then talk with its C&C and deploy additional payloads. If operating on a Home windows area, it’ll obtain and deploy a Cobalt Strike beacon.
Hancitor can even deploy SendSafe which is a spam module, and this will probably be used to ship out malicious spam emails to contaminate extra victims.
Conclusion
With its capacity to ship malicious spam emails and deploy Cobalt Strike beacons, we consider that Hancitor will probably be a menace intently linked to future ransomware assaults very similar to Emotet was. This menace additionally highlights the significance of regularly monitoring the menace panorama in order that we will react shortly to evolving threats and defend our prospects from them.
IOCs, Protection, and MITRE
IOCs

IOC
Sort
IOC
Protection
Content material Model

Malicious Doc
SHA256
e389a71dc450ab4077f5a23a8f798b89e4be65373d2958b0b0b517de43d06e3b
W97M/Dropper.hx
 
4641

Hancitor DLL
SHA256
c703924acdb199914cb585f5ecc6b18426b1a730f67d0f2606afbd38f8132ad6
 
Trojan-Hancitor.a
4644

Area internet hosting Malicious Doc
URL
http[:]//onyx-food[.]com/coccus.php
RED
N/A

Area internet hosting Malicious Doc
 
URL
http[:]//feedproxy[.]google[.]com/~r/ugyxcjt/~3/4gu1Lcmj09U/coccus.php
RED
N/A

Mitre

Method ID
Tactic
Method particulars

T1566.002
Preliminary Entry
Spam mail with hyperlinks

T1204.001
Execution
Consumer Execution by opening hyperlink.

T1204.002
Execution
Executing downloaded doc

T1218
Defence Evasion
Signed Binary Execution Rundll32

T1055
Defence Evasion
Downloaded binaries are injected into svchost for execution

T1482
Discovery
Area Belief Discovery

T1071
C&C
HTTP protocol for communication

T1132
C&C
Information is base64 encoded and xored

 
 
x3Cimg top=”1″ width=”1″ model=”show:none” src=”https://www.fb.com/tr?id=766537420057144&ev=PageView&noscript=1″ />x3C/noscript>’);

[ad_2]