[ad_1]
By Sriram P & Lakshya Mathur
Hancitor, a loader that gives Malware as a Service, has been noticed distributing malware akin to FickerStealer, Pony, CobaltStrike, Cuba Ransomware, and lots of extra. Just lately at McAfee Labs, we noticed Hancitor Doc VBA (Visible Primary for Purposes) samples dropping the payload utilizing the Home windows clipboard by way of Choice.Copy technique.
This weblog focuses on the effectiveness of this newly noticed approach and the way it provides an additional layer of obfuscation to evade detection.
Under (Determine 1) is the Geolocation based mostly stats of Hancitor Malicious Doc noticed by McAfee since September 2021
INFECTION CHAIN
- The sufferer will obtain a Docusign-based phishing electronic mail.
- On clicking on the hyperlink (hxxp://mettlybothe.com/8/discussion board[.]php), a Phrase Doc file is downloaded.
- On Enabling the macro content material in Microsoft Phrase, the macro drops an embedded OLE, a password-protected macro-infected doc file and launches it.
- This second Doc file drops the principle Hancitor DLL (Dynamic Hyperlink Library) payload.
- The DLL payload is then executed through rundll32.exe.
TECHNICAL ANALYSIS
Malware authors ship the victims a phishing electronic mail containing a hyperlink as proven within the under screenshot (Determine 3). The standard Docusign theme is used on this latest Hancitor wave. This phishing electronic mail comprises a hyperlink to the unique malicious phrase doc. On clicking the hyperlink, the Malicious Doc file is downloaded.
For the reason that macros are disabled by default configuration, malware authors attempt to lure victims into believing that the file is from official organizations or people and can ask victims to allow enhancing and content material to start out the execution of macros. The screenshot under (Determine 4) is the lure approach that was noticed on this present wave.
As quickly because the sufferer permits enhancing, malicious macros are executed through the Document_Open operate.
There may be an OLE object embedded within the Doc file. The screenshot under (Determine 5) highlights the item as an icon.
The loader VBA operate, invoked by document_open, calls this random operate (Determine 6), which strikes the choice cursor to the precise location of the OLE object utilizing the choice strategies (.MoveDown, .MoveRight, .MoveTypeBackspace). Utilizing the Choice.Copy technique, it can copy the chosen OLE object to the clipboard. As soon as it’s copied within the clipboard it will likely be dropped below %temp% folder.
When an embedded object is being copied to the clipboard, it will get written to the temp listing as a file. This technique is utilized by the malware writer to drop a malicious phrase doc as a substitute of explicitly writing the file to disk utilizing macro features just like the traditional FileSystemObject.
On this case, the file was saved to the %temp% location with filename title “zoro.kl” as proven within the under screenshot (Fig 8). Fig 7 exhibits the corresponding procmon log involving the file write occasion.
Utilizing the CreateObject(“Scripting.FileSystemObject”) technique, the malware strikes the file to a brand new location AppdataRoamingMicrosoftTemplates and renames it to “zoro.doc”.
This file is then opened with the built-in doc technique, Paperwork.open. This moved file, zoro.doc, is password-protected. On this case, the password used was “doyouknowthatthegodsofdeathonlyeatapples?”. We now have additionally seen the utilization of passwords like “donttouchme”, and so on.
This newly dropped doc is executed utilizing the Paperwork.Open operate (Determine 11).
Zoro.doc makes use of the identical methods to repeat and drop the subsequent payload as we noticed earlier. The one distinction is that it has a DLL because the embedded OLE object.
It drops the file within the %temp% folder utilizing clipboard with the title “gelforr.dap”. Once more, it strikes gelforr.dap DLL file to AppdataRoamingMicrosoftTemplates (Determine 12).
Lastly, after shifting DLL to the templates folder, it’s executed utilizing Rundll32.exe by one other VBA name.
MITRE ATT&CK
| Approach ID | Tactic | Approach particulars |
| T1566.002 | Preliminary Entry | Spam mail with hyperlinks |
| T1204.001 | Execution | Person Execution by opening the hyperlink. |
| T1204.002 | Execution | Executing downloaded doc |
| T1218 | Protection Evasion | Signed Binary Execution Rundll32 |
| T1071 | C&C (Command & Management) | HTTP (Hypertext Switch Protocol) protocol for communication |
IOC (Indicators Of Compromise)
| Kind | SHA-256 | Scanner | Detection Title |
| Most important Doc | 915ea807cdf10ea4a4912377d7c688a527d0e91c7777d811b171d2960b75c65c | WSS | W97M/Dropper.im |
| Dropped Doc | c1c89e5eef403532b5330710c9fe1348ebd055d0fe4e3ebbe9821555e36d408e | WSS | W97M/Dropper.im
|
| Dropped DLL | d83fbc9534957dd464cbc7cd2797d3041bd0d1a72b213b1ab7bccaec34359dbb | WSS | RDN/Hancitor |
| URLs (Uniform Useful resource Locator) | hxxp://mettlybothe.com/8/discussion board[.]php | WebAdvisor | Blocked |
[ad_2]
