Spammers Revive Hancitor Downloader Campaigns

A recent lull in the distribution of spam spreading information-stealing malware via the Hancitor downloader has been snapped.
Researchers at the SANS Internet Storm Center are currently tracking an increase in spam purporting to be a forwarded parking ticket notification. The message prompts the recipient to click a link to pay a parking ticket; the hyperlink is to a Microsoft Word document.
和iOS及WP的大集中式应用管理大不同的是,Android软件商店太多太杂了,移动终端设备要安全,首先不要乱安装不明来历的软件。

“The document contains a malicious VB macro described has Hancitor, Chanitor or Tordal,” wrote Brad Duncan, handler at the SANS Internet Storm Center in blog post warning of the spam campaign. “If you enable macros, the document retrieves a Pony downloader DLL. The Pony downloader then retrieves and installs Vawtrak malware.”
There doesn’t appear to be anything unique when it comes to the Word Document and its standard ploy of pushing recipients to “enable content” and run a malicious macro. An analysis of the link from the phishing e-mail contains a base64-encoded string representing the recipient’s address. Using that string, attackers insert the recipient’s name into the filename of the World document.
网络安全公益短片社交网络安全基础
“I used a base64 string for [email protected] (a made-up name/address) and received a file named parking_bert.doc,” Duncan said.
Other aspects of the spam campaign are similar to previous waves of Hancitor-related spam reported in 2016 by Palo Alto Networks and FireEye. “Pattern-wise, URLs from this infection are similar to previous cases of Hancitor/Pony/Vawtrak malspam reported during the past two or three months,” Duncan wrote.
In August, a variant of the Hancitor downloader was identified by Palo Alto Networks that shifted away from leveraging the latest incarnation of H1N1 and distributed the Pony and Vawtrak executables. In September, FireEye reported the way that Hancitor’s payload was delivered differed from previous iterations. Researchers said the downloader had shifted to depend on native Windows API callback functions to execute shellcode.
While malicious Hancitor campaigns fluctuate in volume, researchers say overall spam-based macro attacks are on the rise. In a study released in October, Microsoft said incidents of macro-based malware hiding in Office documents has steadily been on the rise. In the enterprise, Microsoft reports, 98 percent of Office-targeted threats still use old-school macro-based attacks.
“We often become jaded as yet another wave of malspam does the same thing it’s done before.  Patterns behind such activity are often well-documented.  So why bother with discussion, if there’s nothing new?” Duncan wrote. “That attitude only encourages the criminal groups behind malspam.”
Duncan reminds that there are a number of technical means to prevent these types of infections such as new protections from Microsoft for its Office suite introduced in October.
安全意识的提升,首先要让所有员工认识到安全是每个人的责任,并不仅是安全部门或IT管理员的职责。

猜您喜欢

医疗保健:关注医药流通领域政策发布 荐11股
信息安全管理的科学方法,让信息安全同业务目标保持一致
网络信息安全小曲
马云与特朗普能坐一起喝咖啡,谁的功劳?
SONINDEPENDIENTES 924TFG
隆重推荐4999元的信息安全意识课件——安全前线