article featured image


Hancitor is an information stealer and malware downloader. Hancitor started using this trick in order to spread other malware like CobaltStrike, Pony, Cuba, FickerStealer, and Zeppelin. 

According to CYWARE.com the researchers from McAfee Labs discovered and documented a new technique used by actors behind Hancitor. This newly discovered technique prevents crawlers from accessing the maldocs used to download the Hancitor payload.

The first step on the attack is the one in which the target receives an email with a fake DocuSign template appearing to have a link or feedproxy[.]google[.]com, a service that allows users to publish website updates.

The link directs the user to a malicious site, which checks the User-Agent of the browser, and in the case in which it is non-Windows, the victim gets redirected to google[.]com.

If the victim is using a Windows machine, the malicious site creates a cookie that uses JavaScript and reloads the site through a code.

This specific code writes the timezone to value ‘n’ and the time offset to UTC in value ‘d’. The cookie header is set for HTTP to GET Request. The values of ‘n’ and ‘d’ change according to the timezone.

Extra Insights

The two values in question called ‘n’ and ‘d’ could potentially be used to stop any further malicious activity or even to deploy other payloads based on geolocation after reloading.

After reloading, the website downloads the maldoc, the document created so it can lure the victim into enabling macros and consequently downloading the Hancitor DLL loaded with Rundll32.

From this point on the malware will communicate with its C2 server and will deploy an additional payload system. If it is running on a Windows domain, it downloads and then deploys the Cobalt Strike Beacon.

It’s important to understand how critical is the fact that Hancitor malware has obtained the ability to send malicious spam emails and deploy Cobalt Strike beacons as it’s expected to start being used in future ransomware attacks.

Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.

Leave a Reply

Your email address will not be published. Required fields are marked *

Protect your business by doing more with less

Book a Demo