Hancitor Is Using Well-Known Tricks to Spread Malware
Hancitor Has Been Using Cookies to Prevent URL Scraping.
Hancitor is an information stealer and malware downloader. Hancitor started using this trick in order to spread other malware like CobaltStrike, Pony, Cuba, FickerStealer, and Zeppelin.
According to CYWARE.com the researchers from McAfee Labs discovered and documented a new technique used by actors behind Hancitor. This newly discovered technique prevents crawlers from accessing the maldocs used to download the Hancitor payload.
The first step on the attack is the one in which the target receives an email with a fake DocuSign template appearing to have a link or feedproxy[.]google[.]com, a service that allows users to publish website updates.
The link directs the user to a malicious site, which checks the User-Agent of the browser, and in the case in which it is non-Windows, the victim gets redirected to google[.]com.
This specific code writes the timezone to value ‘n’ and the time offset to UTC in value ‘d’. The cookie header is set for HTTP to GET Request. The values of ‘n’ and ‘d’ change according to the timezone.
The two values in question called ‘n’ and ‘d’ could potentially be used to stop any further malicious activity or even to deploy other payloads based on geolocation after reloading.
After reloading, the website downloads the maldoc, the document created so it can lure the victim into enabling macros and consequently downloading the Hancitor DLL loaded with Rundll32.
From this point on the malware will communicate with its C2 server and will deploy an additional payload system. If it is running on a Windows domain, it downloads and then deploys the Cobalt Strike Beacon.
It’s important to understand how critical is the fact that Hancitor malware has obtained the ability to send malicious spam emails and deploy Cobalt Strike beacons as it’s expected to start being used in future ransomware attacks.