The eSentire Threat Intelligence team is tracking a recently identified campaign delivering Hancitor malware through malicious “HelloFax” emails. This campaign leverages trusted cloud services for delivering malicious Microsoft Word documents to victims. If executed successfully, Hancitor results in the installation of additional malware such as banking trojans.
What we’re doing about it
- esNETWORK is actively detecting and blocking known Hancitor Command and Control IP addresses
- esENDPOINT will detect activity related to this threat
What you should do about it
- If not actively using the HelloFax service, block emails containing the subject lines found below
- Block emails from email addresses found below
- Ensure employees are aware of ongoing email threats
Additional information
HelloFax is an online fax service that allows users to send PDF documents as faxes or receive faxes as PDF documents via email.
Hancitor is a downloader that has been known to download and install a variety of other malware including banking trojans and ransomware. Although originally identified in 2014, Hancitor has remained popular amongst threat actors, and is actively maintained and modified.
Beginning on April 19, 2018, eSentire’s Security Operation Centre responded to multiple incidents associated with this threat. Observed emails include a link to one of several compromised domains hosting malicious Word documents on Google Drive. End users that download the file and enable macros will unwittingly be infected by the Hancitor downloader (see figure 1 for example). This is an active campaign; the attacker may institute additional compromised domains to carry out attacks.
Indicators
Sender Addresses:
- hellofax@thecarltun[.]com
- grandjkc[.]com
Subject Lines:
- HelloFax, Someone Sent You a Fax
- Welcome to HelloFax, Here is Your Fax
- Welcome to HelloFax, Someone Sent You a Fax
Links to Malware Document (all resolve to 35.204.196.178* as of 2018-04-20):
- estimatorfind[.]com
- garywhitakerfamily[.]com
- garywhitakerfamily[.]net
- ilovepatchouli[.]com
- virtualpaintexpo[.]com
- headshopsmell[.]com
- patchouliscent[.]com
Malware Document:
- The malicious file that is downloaded is named “fax_******” (fax_ followed by six random digits)
- Document Hash (SHA256):6195d0f2f52397842d57759a124abf280309c0639a13ed314d319286bc4a46d7
Command and Control Infrastructure:
- 185[.]43[.]223[.]6
- hxxp://caharthenret[dot]com/4/forum[.]php
- hxxp://naotuseor[dot]ru/4/forum[.]php
- hxxp://pertacikin[dot]ru/4/forum[.]php
Malware Analysis Notes
When the document macro is executed, it will inject malicious code into a svchost.exe process. The svchost.exe process will then reach out to the Hancitor Command and Control infrastructure to download a secondary payload. Recently observed secondary payloads for Hancitor have included the Pony Trojan and the Zeus Panda Banking Trojan.
[image src="/assets/9edbde9e29/HelloFax-Hancitor-Campaign-figure-1.jpg" id="1226" width="589" height="419" class="center ss-htmleditorfield-file image" title="HelloFax Hancitor Campaign figure 1"]
*eSentire is actively blocking observed Hancitor Command and Control infrastructure.
As the malicious Word documents are hosted using a trusted cloud service (IP 35.204.196.178 and Google Drive), it is not feasible to block these addresses at this time.
