For the past few weeks, security researchers analyzed various spam campaigns and found one containing a malicious Hancitor trojan. Cybercriminals use the spam email as an attack vector and lure victims to click the malicious Word documents that will drop a malware cocktail inside their PCs.
One of these phishing campaigns has been delivered with the following content. Here’s how a phishing email looks like:
From: [Spoof / Forwarded Sender Address]
Subject Line: ew incoming eFax document from 1-888 – [% 6 random numbers%]
During this spam campaign, malicious actors try to convince users to click one of the following infected domains which lead to the download of malicious RTF documents:
http: // tabrs [.] com
http: // boxerproperties [.] org
http: // boxerproperties [.] biz
According to VirusTotal, only 3 antivirus engines out of 58 managed to detect the spam campaign at the time we write this article. The campaign first started a week ago, when we started monitoring it.
Malware cocktails such as these keep changing their composition which makes it harder for antivirus programs to detect it during the first hours or even days. It easily flies below their radar and let users’ devices very exposed to online threats.
They continue to have a high rate of success for malicious actors who still find new ways to attack victims and access vulnerable devices. Malware cocktails manage to infect easily those machines which are based on reactive protection-only.
How the online criminals operate
If a victim clicks that link, then she will be redirected to one of the following URLs that drop malicious payloads (sanitized for your online safety):
http: // goodgroupllc [.] com/modules / media_entity/1
http: // goodgroupllc [.] com/modules/ media_entity/2
http: // helloyou [.] se/wp-content/ plugins/pixcodes/1
http: // helloyou [.] se/wp-content/ plugins/pixcodes/2
http: // impressocoffee.com [.] au/wp-content/ plugins/dynamic-featured-image/1
http: // outandaboutpublications [.] com.au/1
http: // boltboxmarketing [.] com/wp-content/ plugins/js_composer/config/1
Attackers exploit the Microsoft Office Memory Corruption Vulnerability (CVE-2017-11882) by trying to remotely control a victim’s computer who’s currently logged on with administrative user rights. Without these rights, a user can’t locally access or enable applications or commands on a PC.
Source: CVE Details
Attackers use a WebDav server to launch arbitrary commands and execute malicious/infected files on a vulnerable machine by connecting to a Hancitor C&C server:
http: // littarhapone [.] com / LS5 / forum . php
Hancitor is a malicious Trojan downloader that drops both Pony and Evil Pony malware on the targeted machine. Cybercriminals will try to launch an attack operating the Panda ZeuS botnet via the following C&C servers:
http: // littarhapone [.] com / Mlu / forum.php
http: // littarhapone [.] com / d2 / about.php
This botnet tries to spread an additional malware, collect data from infected machines and relay back to the controlling server. In the final stage of a targeted attack, the Panda ZeuS malware will be dropped on the vulnerable machines from the following URL:
https: // suptalefthed [.] ru / 1paylseaffiuwosylygcy . exe
Next, the malicious actors will download and install more Panda ZeuS modules and plugins like the ones below:
https: // suptalefthed [.] ru / 1paylseaffiuwosylygcy . dat
https: // suptalefthed [.] ru / 61webinjects. dat
https: // suptalefthed [.] ru / 61webinject32 . bin
https: // suptalefthed [.] ru / 61keylogger . bin
Apply these security measures to fight against online attacks
- Update, update and update again! It’s essential to install all the latest updates for your apps, software programs and system. Do NOT postpone and neglect keeping your system fully patched;
- Make sure you have at least two backups of your valuable data on external sources and do not store them exclusively on your computer;
- We remind you once again: Don’t open, click or download suspicious links/files received from unknown sources that could compromise your PC;
- To reduce the impact of these vulnerabilities, try to run software programs with non-administrative user accounts and remember to disable macros in the Microsoft Office package;
- Consider using a proactive security product (you can see what Defenx Security Suite can do for you)
*This article features cyber intelligence provided by CSIS Security Group researchers and Heimdal Security.