Hancitor aka Chanitor is a macro-based downloader malware hidden in the word documents. This malware attempts to detect and bypass the traditional defenses using embedded executable and DLL (Dynamic Link Library) calls to launch and grab additional payloads. This malware enters into the system when the users download the attachment sent via phishing mail. If the users have enabled macro, the downloaded word document retrieves a pony downloader DLL which in turn retrieves and installs the Vawtrack malware.
Normally, this macro based malware appears as an invoice and when the user opens this document, they will receive an instruction saying that the content is protected and in order to view the content, macros has to be enabled. By enabling macros, the user inadvertently allows the malware hidden in the Word doc to leverage the functionality to launch an attack. The Hancitor malware is designed to steal confidential information, and passwords. According to the Kaspersky analysis, the phishing e-mail contains a base 64-encoded string which represents the recipient’s address and using that string, cyber criminals will insert the recipient's name into the file name of the word document.
In August 2016, a variant of the Hancitor malware was identified by Palo Alto Networks, which has been designed to leverage the latest incarnation of H1N1 and distribute the Pony and Vawtrak executables. However, in September 2016, according to the FireEye reports, the way that Hancitor Payloads are delivered differed from its previous strategies. The researchers have said that the hackers have shifted to the native Windows API call back functions to execute the shellcode. The Microsoft has said that incidents of macro-based malware hiding in the word file has steadily been on the rise and 98 percent of office-targeted attacks still use old-school based macro attacks.
How to protect yourself from Hancitor attacks
Macro-based malware is extremely pervasive and spreading like a forest fire. Normally, malware arrives in large phishing campaigns, which targets multiple users of different geographies. In addition to sharing this Hancitor malware alert, here are the three significant steps you can take to protect yourself from this threat:
Email Filtering: Filtering out malicious emails is one of the best ways to protect the network infrastructure from the potential attacks. It is advisable to integrate a gateway filtering like SPF/DKIM/DMARC, which blocks overall spam and spoofed emails, but on the flip side, sometimes, these gatewaysystems also block some legitimate emails, hence while choosing a gateway system, users discretion is required. Depending upon the organization's size/budget, you may consider integrating an email gateway/provider, which filters out certain attachments.
Endpoint Protection: Users must install standard antivirus protection that guards the system against malware and viruses. Besides, it is also recommended installing the behavioral-based protection system, which detects the new and unknown malware.
User Education: Users are the last line of defense and are more vulnerable to malware attacks. Normally an end user or say recipient receives a mail that creates a sense of urgency, which tricks them to open the mail and download the attachment. Hence, it is not advisable to open or download any such documents received by an unknown sender.
As always, a layered approach is best and integrating the right tools, education, and processes at its place, userscan protect their organization network from Hancitor and other types of malware attacks.