

Hancitor has historically sent emails spoofing different types of organizations that send notices, faxes or invoices. First Stage: Distributing Malicious Word Documents 5, 2020, this campaign settled into the infection chain of events shown above. In rare cases, we have also seen a Hancitor infection follow-up with Send-Safe spambot malware that turned an infected host into a spambot pushing more Hancitor-based malspam.Īfter a three-month absence, Hancitor activity resumed on Oct.Hancitor-related Cobalt Strike activity can send other files, such as a network ping tool or malware based on the NetSupport Manager Remote Access Tool (RAT).


Palo Alto Networks has shared our findings, including file samples and indicators of compromise described in this report, with our fellow Cyber Threat Alliance members. Palo Alto Networks Next-Generation Firewall customers are protected from this threat with a Threat Prevention security subscription. This blog also contains relatively new indicators noted from this threat actor as of February 2021, and it provides five examples of the associated network ping tool seen in December 2020 and January 2021. This blog reviews examples of recent Hancitor infections within AD environments. To understand how this ping tool is used, we must first understand the chain of events for current Hancitor activity. Normal ping activity is low to nonexistent within a Local Area Network (LAN), but this ping tool generates approximately 1.5 GB of Internet Control Message Protocol (ICMP) traffic as it pings more than 17 million IP addresses of internal, non-routable IPv4 address space. This blog illustrates how the threat actor behind Hancitor uses the network ping tool, so security professionals can better identify and block its use.Īs early as October 2020, Hancitor began utilizing Cobalt Strike and some of these infections utilized a network ping tool to enumerate the infected host’s internal network. In recent months, this actor began using a network ping tool to help enumerate the Active Directory (AD) environment of infected hosts. Approximately three years later, Hancitor remains a threat and has evolved to use tools like Cobalt Strike. In a threat brief from 2018, we noted Hancitor was relatively unsophisticated, but it would remain a threat for years to come. I’m using the command pwsh to do this on REMnux.Hancitor is an information stealer and malware downloader used by a threat actor designated as MAN1, Moskalvzapoe or TA511. We can decode all this PowerShell on any platform. The $var_code variable contains Cobalt Strike beacon shellcode that was XOR’d with the value 35 before being base64 encoded.
#COBALT STRIKE BEACON DLL CODE#
Suffice to say, the rest of the code is overhead required to inject shellcode reflectively into the memory space of the PowerShell process executing the script. The chunk of code containing $var_code = $var_code -bxor 35.To keep this post short and sweet, there are two portions to focus upon: There’s a LOT to unpack here and wrap our brains around. length ) $var_runme = :: GetDelegateForFunctionPointer ( $var_buffer, ( func_get_delegate_type IntPtr ]) ())) Set-StrictMode -Version 2 $DoIt = $aa1234 = :: UTF8.GetString (:: FromBase64String ( $DoIt )) If (:: size -eq 8 ) $var_va = :: GetDelegateForFunctionPointer (( func_get_proc_address kernel32.dll VirtualAlloc ), ( func_get_delegate_type IntPtr ],, , ) ())) $var_buffer = $var_va.
