Hancitor is an information stealer and malware downloader commonly associated with threat group TA511. In recent months, this actor began using a network ping tool to help enumerate the Active Directory (AD) environment of infected hosts. In October 2020, Hancitor began utilizing Cobalt Strike and some of these infections utilized a network ping tool to enumerate the infected host’s internal network. Normal ping activity is low to nonexistent within a Local Area Network (LAN), but this ping tool generates approximately 1.5 GB of Internet Control Message Protocol (ICMP) traffic as it pings more than 17 million IP addresses of internal, non-routable IPv4 address space. The actor pushing Hancitor has displayed consistent patterns of infection activity
The chain of events for recent Hancitor infections is:
Email with link to a malicious page hosted on Google Drive.
Link from a Google Drive page to a URL that returns a malicious Word document.
Enable macros (per instructions in Word document text).
Hancitor DLL is dropped and run using rundll32.exe.
Hancitor generates command and control (C2) traffic.
Hancitor C2 most often leads to Ficker Stealer malware.
Hancitor C2 leads to Cobalt Strike activity in AD environments.
Hancitor-related Cobalt Strike activity can send other files, such as a network ping tool or malware based on the NetSupport Manager Remote Access Tool (RAT).
In rare cases, a Hancitor infection follow-up is seen with Send-Safe spambot malware that turned an infected host into a spambot pushing more Hancitor-based malspam.
Given above is a malicious word document containing Hancitor DLL. When macros are enabled for these malicious Word documents, the macro code drops and runs a malicious DLL file for Hancitor. The DLL file is contained within the macro code.