Hancitor is an information stealer and malware downloader commonly associated with threat group TA511. In recent months, this actor began using a network ping tool to help enumerate the Active Directory (AD) environment of infected hosts. In October 2020, Hancitor began utilizing Cobalt Strike and some of these infections utilized a network ping tool to enumerate the infected host’s internal network. Normal ping activity is low to nonexistent within a Local Area Network (LAN), but this ping tool generates approximately 1.5 GB of Internet Control Message Protocol (ICMP) traffic as it pings more than 17 million IP addresses of internal, non-routable IPv4 address space. The actor pushing Hancitor has displayed consistent patterns of infection activity
The chain of events for recent Hancitor infections is:
Given above is a malicious word document containing Hancitor DLL. When macros are enabled for these malicious Word documents, the macro code drops and runs a malicious DLL file for Hancitor. The DLL file is contained within the macro code.