2018-05-02 - HANCITOR FROM FAKE VERIZON NOTIFICATIONS

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip archive of the traffic:  2018-05-02-Hancitor-infection-with-Zeus-Panda-Banker.pcap.zip   2.1 MB (2,148,820 bytes)

• 2018-05-02-Hancitor-infection-with-Zeus-Panda-Banker.pcap   (2,561,158 bytes)

• Zip archive of the emails:  2018-05-02-Hancitor-malspam-50-examples.txt.zip   25.8 kB (25,753 bytes)

• 2018-05-02-Hancitor-malspam-50-examples.txt   (925,184 bytes)

• Zip archive of the malware:  2018-05-02-malware-from-Hancitor-infection.zip   225 kB (225,273 bytes)

• 2018-05-02-Word-doc-with-macro-for-Hancitor.doc   (180,224 bytes)
• 2018-05-02-Zeus-Panda-Banker-from-Hancitor-infection.exe   (165,376 bytes)

NOTES:

• The block list contains additional info first reported in the VirusBay entry for the associated Word document.
• As always, my thanks to everyone who keeps an eye on this malspam and reports about it near-real-time on Twitter.

Shown above:  Flow chart for a typical Hancitor malspam infection.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

• countywidememorials[.]com
• countywidemonuments[.]com
• kwrn1550am[.]com
• prescriptionerrorlawyer[.]com
• ryanandrie[.]me
• sawgrasspark[.]com
• sleeplavish[.]com
• solutionsforsanjose[.]info
• solutionsforsanjose[.]net
• youngsvillehousevalues[.]com
• youngsvilleproperties[.]com
• hemfeketro[.]com
• gejohntorsar[.]ru
• tonstinnotna[.]ru
• hxxp://fatcowcoupon[.]us/wp-content/plugins/nofollow-for-external-link/1
• hxxp://fatcowcoupon[.]us/wp-content/plugins/nofollow-for-external-link/2
• hxxp://fatcowcoupon[.]us/wp-content/plugins/nofollow-for-external-link/3
• hxxp://alphafinancialservices[.]net/wp-content/themes/twentyeleven/inc/1
• hxxp://alphafinancialservices[.]net/wp-content/themes/twentyeleven/inc/2
• hxxp://alphafinancialservices[.]net/wp-content/themes/twentyeleven/inc/3
• hxxp://buckscountybass[.]com/wp-content/themes/canvas-bcac/1
• hxxp://buckscountybass[.]com/wp-content/themes/canvas-bcac/2
• hxxp://buckscountybass[.]com/wp-content/themes/canvas-bcac/3
• hxxp://mattbennett[.]ca/wp-content/themes/spark/inc/1
• hxxp://mattbennett[.]ca/wp-content/themes/spark/inc/2
• hxxp://mattbennett[.]ca/wp-content/themes/spark/inc/3
• hxxp://hugefrigginarms[.]com/wp-content/themes/twentyfifteen/1
• hxxp://hugefrigginarms[.]com/wp-content/themes/twentyfifteen/2
• hxxp://hugefrigginarms[.]com/wp-content/themes/twentyfifteen/3
• robwassotdint[.]ru

 

EMAILS

Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

• Date/Time:  Wednesday 2018-05-02 as early as 16:28 UTC through at least 19:10 UTC

• Received: from etiroltec[.]com ([12.196.128[.]171])
• Received: from etiroltec[.]com ([12.226.231[.]250])
• Received: from etiroltec[.]com ([24.119.134[.]126])
• Received: from etiroltec[.]com ([24.129.150[.]98])
• Received: from etiroltec[.]com ([24.197.23[.]194])
• Received: from etiroltec[.]com ([50.204.10[.]90])
• Received: from etiroltec[.]com ([50.225.140[.]58])
• Received: from etiroltec[.]com ([50.241.155[.]162])
• Received: from etiroltec[.]com ([50.255.203[.]185])
• Received: from etiroltec[.]com ([50.78.213[.]181])
• Received: from etiroltec[.]com ([64.25.84[.]18])
• Received: from etiroltec[.]com ([67.137.237[.]74])
• Received: from etiroltec[.]com ([67.214.229[.]146])
• Received: from etiroltec[.]com ([67.214.241[.]162])
• Received: from etiroltec[.]com ([67.214.247[.]194])
• Received: from etiroltec[.]com ([68.48.199[.]46])
• Received: from etiroltec[.]com ([68.112.41[.]142])
• Received: from etiroltec[.]com ([69.54.28[.]220])
• Received: from etiroltec[.]com ([69.63.173[.]150])
• Received: from etiroltec[.]com ([70.62.179[.]154])
• Received: from etiroltec[.]com ([71.45.198[.]186])
• Received: from etiroltec[.]com ([71.75.116[.]158])
• Received: from etiroltec[.]com ([73.154.50[.]223])
• Received: from etiroltec[.]com ([74.121.33[.]54])
• Received: from etiroltec[.]com ([74.143.250[.]210])
• Received: from etiroltec[.]com ([76.124.248[.]251])
• Received: from etiroltec[.]com ([76.79.28[.]114])
• Received: from etiroltec[.]com ([96.82.248[.]185])
• Received: from etiroltec[.]com ([96.82.248[.]5])
• Received: from etiroltec[.]com ([96.95.159[.]33])
• Received: from etiroltec[.]com ([104.192.201[.]189])
• Received: from etiroltec[.]com ([155.99.70[.]195])
• Received: from etiroltec[.]com ([162.104.96[.]249])
• Received: from etiroltec[.]com ([162.246.139[.]3])
• Received: from etiroltec[.]com ([172.89.91[.]39])
• Received: from etiroltec[.]com ([173.12.134[.]65])
• Received: from etiroltec[.]com ([173.165.126[.]46])
• Received: from etiroltec[.]com ([173.210.47[.]2])
• Received: from etiroltec[.]com ([173.219.81[.]251])
• Received: from etiroltec[.]com ([203.130.24[.]211])
• Received: from etiroltec[.]com ([205.169.166[.]22])
• Received: from etiroltec[.]com ([207.119.95[.]83])
• Received: from etiroltec[.]com ([207.173.159[.]68])
• Received: from etiroltec[.]com ([209.23.243[.]106])
• Received: from etiroltec[.]com ([213.120.121[.]78])

• From: "Verizon  Services " <verizonwireless@etiroltec[.]com>
• From: "Verizon  Services All rights reserved. " <verizonwireless@etiroltec[.]com>
• From: "Verizon Inc. " <verizonwireless@etiroltec[.]com>
• From: "Verizon Inc. All rights reserved. " <verizonwireless@etiroltec[.]com>
• From: "Verizon Wireless  Services " <verizonwireless@etiroltec[.]com>
• From: "Verizon Wireless  Services All rights reserved. " <verizonwireless@etiroltec[.]com>
• From: "Verizon Wireless Inc. " <verizonwireless@etiroltec[.]com>
• From: "Verizon Wireless Inc. All rights reserved. " <verizonwireless@etiroltec[.]com>

• Subject: Here is your mobile bill
• Subject: Here is your mobile invoice
• Subject: Here is your Verizon cellular bill
• Subject: Here is your Verizon cellular invoice
• Subject: Here is your Verizon Wireless bill
• Subject: Here is your Verizon Wireless invoice
• Subject: Your mobile bill
• Subject: Your mobile invoice
• Subject: Your Verizon cellular bill
• Subject: Your Verizon cellular invoice
• Subject: Your Verizon Wireless bill
• Subject: Your Verizon Wireless invoice

 

Shown above:  Malicious Word document downloaded from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

LINKS IN THE EMAILS TO DOWNLOAD THE WORD DOCUMENT:

• hxxp://countywidememorials[.]com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://countywidemonuments[.]com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://kwrn1550am[.]com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://prescriptionerrorlawyer[.]com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://ryanandrie[.]me?[string of characters]=[encoded string representing recipient's email address]
• hxxp://sawgrasspark[.]com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://sleeplavish[.]com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://solutionsforsanjose[.]info?[string of characters]=[encoded string representing recipient's email address]
• hxxp://solutionsforsanjose[.]net?[string of characters]=[encoded string representing recipient's email address]
• hxxp://youngsvillehousevalues[.]com?[string of characters]=[encoded string representing recipient's email address]
• hxxp://youngsvilleproperties[.]com?[string of characters]=[encoded string representing recipient's email address]

NETWORK TRAFFIC FROM AN INFECTED LAB HOST:

• 35.187.117[.]14 port 80 - sleeplavish[.]com - GET /?[string of characters]=[encoded string representing recipient's email address]
• port 80 - api.ipify[.]org - GET /
• 195.123.213[.]133 port 80 - hemfeketro[.]com - POST /4/forum.php
• 195.123.213[.]133 port 80 - hemfeketro[.]com - POST /mlu/about.php
• 195.123.213[.]133 port 80 - hemfeketro[.]com - POST /d2/about.php
• 69.89.30[.]142 port 80 - fatcowcoupon[.]us - GET /wp-content/plugins/nofollow-for-external-link/1
• 69.89.30[.]142 port 80 - fatcowcoupon[.]us - GET /wp-content/plugins/nofollow-for-external-link/2
• 69.89.30[.]142 port 80 - fatcowcoupon[.]us - GET /wp-content/plugins/nofollow-for-external-link/3
• 185.174.175[.]14 port 443 - robwassotdint[.]ru - HTTPS/SSL/TLS traffic caused by Zeus Panda Banker
• port 80 - www.google[.]com - HTTPS/SSL/TLS traffic - probable connectivity check caused by Zeus Panda Banker

 

FILE HASHES

MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:

• SHA256 hash:  c2097360c006fc3325914406e1b1f0d4857e9a550618ffedc1d0eb0fe8e64777
  File size:  180,224 bytes
  File name:  invoice_484067.doc [any six random digits for the numbers]
  File description:  Word document with macro for Hancitor

• SHA256 hash:  b16c6a67e3629c27092661cec1d7643afc8d83f7902a8fcfb6691f310b95fbcb
  File size:  165,376 bytes
  File location:  C:\Users\[username]\AppData\Roaming\[existing directory path]\[random name].exe
  File description:  Zeus Panda Banker

Shown above:  Zeus Panda Banker persistent on the infected Windows host.

 

Click here to return to the main page.