Rewterz Threat Advisory – Multiple VMware vCenter Vulnerabilities
October 6, 2021Rewterz Threat Alert – Lazarus APT Group – Active IOCs
October 6, 2021Rewterz Threat Advisory – Multiple VMware vCenter Vulnerabilities
October 6, 2021Rewterz Threat Alert – Lazarus APT Group – Active IOCs
October 6, 2021Severity
High
Analysis Summary
Hancitor is an information stealer and malware downloader commonly associated with threat group TA511. In recent months, this actor began using a network ping tool to help enumerate the Active Directory (AD) environment of infected hosts. In October 2020, Hancitor began utilizing Cobalt Strike and some of these infections utilized a network ping tool to enumerate the infected host’s internal network. Normal ping activity is low to nonexistent within a Local Area Network (LAN), but this ping tool generates approximately 1.5 GB of Internet Control Message Protocol (ICMP) traffic as it pings more than 17 million IP addresses of internal, non-routable IPv4 address space. The actor pushing Hancitor has displayed consistent patterns of infection activity
The chain of events for recent Hancitor infections is:
Email with link to a malicious page hosted on Google Drive.
Link from a Google Drive page to a URL that returns a malicious Word document.
Enable macros (per instructions in Word document text).
Hancitor DLL is dropped and run using rundll32.exe.
Hancitor generates command and control (C2) traffic.
Hancitor C2 most often leads to Ficker Stealer malware.
Hancitor C2 leads to Cobalt Strike activity in AD environments.
Hancitor-related Cobalt Strike activity can send other files, such as a network ping tool or malware based on the NetSupport Manager Remote Access Tool (RAT).
In rare cases, a Hancitor infection follow-up is seen with Send-Safe spambot malware that turned an infected host into a spambot pushing more Hancitor-based malspam
Impact
- Information Theft
- Data Exfiltration
Indicators of Compromise
MD5
- e29e36e214a7304a0fb7d653783bb0ad
SHA-256
- 1fd0f358265bd5dbd84c73764f572a761ee51112f87fe911b9616085cc3a38ea
- bbee3c0d6b671a98e54a19df0ebcca30a4769c424ba0dbec274d5542a036c715
- 6a3fe567d68e865338ff8cbf4a28259d0232c103fc1e3708d9031743a80da04c
- c880d0743282bf8c2c340d622992c9dbe1fa4bf84001f23cc3cb74377c5f1d5f
- 1f3d689e70b06ec584581f235a250aae198c1e88ee4fd0ff83a337735a38e7a4
- ea262a1870f46ce76c1f6e38bf86de180fd51590c34870e62551d5882710cbfb
- 3ecd7b0bdc95ae07543347267f5e4ec572150d00829682351cfe6571f3d65b26
- 9481c36bd2cc5592f5dfde1eb8da1c55d618c42df22b1db8ec28f8b26dbd6a3f
SHA-1
- 116151e72daaa8bbbad5edfcec520c626c948f01
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.
- Do not enable macros for files downloaded unintentionally.