We are currently witnessing an active malware campaign involving the Hancitor Trojan/Pony botnet. Once installed on the victim’s machine, Hancitor prepares the groundwork for the download of further malicious modules such as ransomware or data stealing malware.
/**enSilo blocks Hancitor/ Pony out-of-the-box **/
A Widespread Campaign Across Industry Verticals
The Hancitor campaign that we’re currently witnessing has hit several industry verticals. In particular, we’ve already witnessed this malware targeting enterprises in the technological and bio-med verticals, as well as at infrastructure organizations. Given its widespread infection, we believe this is a more opportunistic campaign as opposed to targeted campaign that goes after a particular organization. While not targeted, this is an active campaign and given its widespread infection, users should be aware of its impact to data – from theft to hijacking data (through ransomware) – and work towards fortifying their systems to protect their data.
The Rise of “Fileless Malware”
What’s interesting about Hancitor is that it is a “fileless malware”. Meaning, this malware leverages macro and in-memory floating executable, as opposed to malicious executable files or Powershell code.
Fileless malware easily bypasses AV and NGAV tools since the aforementioned security tools, by their nature, only inspect files. While best practices would require disabling macros, in reality this is not a possible solution given macros' legitimate usage.
Under the Hood of Hancitor
In all the cases that we have witnessed, the user had to click on an enclosed Word file attachment. We have seen the typical social engineering tactics, such as the usual “FW: Invoice” emails. However, we’re also seeing the attackers pick up a notch with more specific attachments, dodging the typical user’s suspicions, by presenting the filename as “bofa_card_statement”.
In all cases, the attached file has the following characteristics:
Figure 1: The attached malicious file
As shown in the figure, the file has the usual “Protected doc/Must enable macros to view information” that a user normally sees.
Once the user clicks on the email this is where things get more interesting.
Typically, at this stage malware creates a malicious version of svchost. However, the malware in this campaign runs Verclisd.exe. Verclisd.exe is a legacy executable in the Windows platform that was introduced back in Windows XP and is still in use. Behind the scenes, Verclsid.exe is responsible for Verify Class ID which validates shell extensions before they are instantiated by the Windows shell or by Windows Explorer.
The macro attempts to start this process in a suspended state:
Figure 2: Starting a Process in Suspended State
Once the process has been created, it attempts to “hollow” out a process to hide itself:
Figure 3: Details of the Target Process
Figure 4: Malicious Code Overrides the Target Process, i.e. “Hollowing”
Notice that the malicious code just writes the floating executable into the target process and then redirects the main thread to its entrypoint.
What does that really mean? The Hancitor malware will try to create the suspended verclisd.exe process then start a hidden command prompt that acts as a “reverse shell” that awaits further instruction.
To receive that further instruction, the malicious code then attempts to connect to the C2 server and provide it with some basic information about the machine (machine name, OS, IP, etc).
After that, Hancitor attempts to download an msiexec.exe to install further malware. The additional malware component is usually the Pony Botnet component which tends to steal data. For instance, it has several cryptographic routines that it can use to decrypt passwords for various applications.
Pony malware is also hard to detect by sandbox solutions and other security solutions that look at malware “detonation” because it tends to just “sit there” dormant for a while. It has a “timer” so to speak that after a certain time, it will then execute its payload.
With the botnet component of Pony residing on the infected machine, attackers can further leverage the infected machine to distribute other malicious campaigns such as ransomware.
Given the non-targeted nature of Hancitor and the fact that it was targeting a few unrelated customers of ours, we predict that we’ll continue to see Hancitor in the wild. Once a device is infected, attackers will attempt to leverage Hancitor to exfiltrate data, or to malicious encrypt it (as with ransomware).
We predict that we’ll continue to witness variants of Fileless Malware given their evasiveness in face of file-inspecting security solutions. In fact, just recently it was reported that fileless malware was discovered in the networks of more than 140 banks globally.
What can be done:
- As basic security practice, we urge users to enable Microsoft Office 2016 features. These features include the prevention of macro execution of attached files that come from “non-trusted zones”.
- Deploy a security solution that can deal with Fileless Malware
- Ensure your security solution is practical, allowing allowing employees to continue working as usual. In other words, your security solution cannot demand that IT admins disable their macros or other scripting languages.
enSilo protects against Hancitor and other Fileless Malware - see how.