This week RSA FirstWatch observed a new malspam campaign delivering Hancitor malware. Hancitor is a downloader that was used by adversaries to deliver various malware families such as Pony and Zeus Panda Banker. Contrary to previous malspam campaigns that used VBA macros to deliver Hancitor, this one is exploiting CVE-2017-11882 in malicious RTF documents.
Invoice_304550.doc and fax_645751.doc are two examples of the RTF documents used in this campaign. Opening them with an un-patched instance of Microsoft Word leaves a user with a blank page. However, a lot of activity is happening in the background.
First, a suspicious retrieves "1", a script containing our Hancitor payload as a Base64 encoded blob along with the necessary commands to decode and start it as a new process.
Looking at the HTTP GET, many of headers in the request are curiously absent.
NetWitness Packets flags suspicious meta data (e.g., the file.analysis and service.analysis tags shown below).
Next, there is a request to a service to idenitfy the IP address of the victim machine:
Then, it checks-in with a C2 domain (undronride[.]ru) sending the host information via an HTTP POST request. The directory and filename used in the request reflect the telltale 'ls5/forum.php' characteristics of Hancitor.
It is worth noting that the C2 domain, undronride[.]ru, was registered just seven days ago and lacks a surprising amount of registration information.
A second C2 callback to the CNOBIN-registered littarhapone[.]com was also generated by the malware.
The following screenshot shows the meta populated by NetWitness Packets for these C2 check-in sessions:
In both cases, there were no binaries downloaded after the check-in. However, this SANS blog post discusses some of the additional payloads delivered by this Hancitor campaign.
Delivery documents (SHA256):