{"id":1161,"date":"2024-08-30T04:48:27","date_gmt":"2024-08-30T04:48:27","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=1161"},"modified":"2025-07-28T13:48:16","modified_gmt":"2025-07-28T13:48:16","slug":"crib-notes-hancitor-downloader-word-doc-takes-your-computer-hands-it-oer-to-hackers","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/crib-notes-hancitor-downloader-word-doc-takes-your-computer-hands-it-oer-to-hackers\/","title":{"rendered":"Crib Notes: Hancitor downloader \u2013 word doc takes your computer, hands it o\u2019er to hackers"},"content":{"rendered":"
\n
\"\"<\/figure>\n<\/div>\n\n\n

Although cyber security and hacking are both relatively new fields, there are still certain tactics we\u2019d consider \u2018old school\u2019.<\/p>\n\n\n\n

Malicious macros are one of them.<\/p>\n\n\n\n

For those unfamiliar with the term, macros enable a user to group together a series of tasks into a single command. This allows you to automate repetitive tasks.<\/p>\n\n\n\n

Macro becomes \u2018malicious\u2019 when an attacker preloads a series of commands onto a word document and convinces a victim (most often via phishing email) to open the document and enable macros. The commands loaded onto the document then execute.<\/p>\n\n\n\n

Once such an attack has a hold of a computer, it then downloads additional malware \u2013 typically a credential stealer or ransomware.<\/p>\n\n\n\n

While there are numerous attacks that use malicious macros, we\u2019ll focus on the infamous Hancitor downloader due to its recent resurgence.<\/p>\n\n\n\n

Recently: In May this year, customers of electronic document vendor DocuSign, were targeted in a Hancitor-slinging phishing campaign after attackers successfully pilfered an undisclosed number of email addresses from the company.<\/p>\n\n\n\n

Customers were then sent emails, highly crafted to look as though they were sent from DocuSign, asking them to follow a link to a word document which had Hancitor waiting within the macros.<\/p>\n\n\n\n

This attack was particularly interesting as attackers updated their phishing emails halfway through the campaign after DocuSign sent a PSA to its customers.<\/p>\n\n\n\n

Prevalence: Following a lull last year, New Year\u2019s Day 2017 brought with it an increase in the number of campaigns deploying Hancitor.<\/p>\n\n\n\n

This revival began in January, when researchers from the SANS Internet Storm Center first started tracking an uptick in Hancitor spam.<\/p>\n\n\n\n

Technically: While malicious macros have been around for a while, it is worth unpacking how these attacks work because they are a quintessential cyber attacker tool. Plus this latest sample comes with an interesting tweak which I\u2019ll touch on shortly.<\/p>\n\n\n\n

First though, as mentioned earlier, Hancitor kicks into life when a malicious document is opened, and macro is enabled as displayed below:<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

One of our first steps was to try read the macro code, but it was highly obfuscated:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Once executed, the shellcode within the macros launches \u201cexplorer.exe\u201d as a sub-process through code injection:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

For every instance of shellcode executed, memory must be allocated. \u201dVirtualAlloc\u201d is a Windows API used to administer memory allocation.<\/p>\n\n\n\n

The sample\u2019s embedded shellcode queries for this VirtualAlloc API, as shown below:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Simultaneously, the document macros also search for a string called STARFALL. This string loads malware from the shellcode and injects it into explorer.exe, as shown in the screenshot below:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

If successful, these steps create a backdoor, allowing any malicious software to be installed on to the machine.<\/p>\n\n\n\n

In the DocuSign attack, for example, the payload was primarily credential-stealing malware like Pony and Evil Pony.<\/p>\n\n\n\n

In a new twist for Hancitor, we witnessed our sample (MD5: CDCD2CA36ED9A2B060DD4147BC5F7706) steal network credentials itself by targeting the system\u2019s unique GUID. Previous iterations didn\u2019t contain this feature.<\/p>\n\n\n\n

In Windows 7, user credentials are stored in multiple files with random names (generated using GUID) inside both APPDATA and LOCALAPPDATA locations.<\/p>\n\n\n\n

Based on the type of password and application, one of these locations is chosen to store the corresponding credential file. For example, Windows Live Messenger and Remote Desktop login passwords are stored at LOCALAPPDATA.<\/p>\n\n\n\n

The unique GUID below helps Hancitor decrypt the credentials:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Additional analysis:<\/p>\n\n\n\n

During our analysis, we saw Hancitor call out to the below Command and Control (C2) Servers:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Interestingly, we also found a command which can update the list of C2 servers. The updated list is encrypted and written to a file with extension \u201c.cfg\u201d:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The reason these cyber-attack methods always return after falling out of favour is because they\u2019re successful. I don\u2019t know how many times the security industry will have to shout \u2018don\u2019t open suspicious emails\u2019 until the message gets through\u2026<\/strong> if my mother\u2019s predilection for opening clearly malicious emails is anything to go by, we\u2019ll be shouting for some time.<\/p>\n\n\n\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Although cyber security and hacking are both relatively new fields, there are still certain tactics we\u2019d consider \u2018old school\u2019. Malicious macros are one of them. For those unfamiliar with the term, macros enable a user to group together a series of tasks into a single command. This allows you to automate repetitive tasks. <\/p>\n","protected":false},"author":1,"featured_media":1171,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-1161","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1161","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=1161"}],"version-history":[{"count":4,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1161\/revisions"}],"predecessor-version":[{"id":4446,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1161\/revisions\/4446"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/1171"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=1161"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=1161"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=1161"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}