Rewterz

Rewterz Threat Advisory – Multiple VMware vCenter Vulnerabilities

October 6, 2021
Rewterz

Rewterz Threat Alert – Lazarus APT Group – Active IOCs

October 6, 2021

Rewterz Threat Alert – Hancitor InfoStealer – Active IOCs

Severity

High

Analysis Summary

Hancitor is an information stealer and malware downloader commonly associated with threat group TA511. In recent months, this actor began using a network ping tool to help enumerate the Active Directory (AD) environment of infected hosts. In October 2020, Hancitor began utilizing Cobalt Strike and some of these infections utilized a network ping tool to enumerate the infected host’s internal network. Normal ping activity is low to nonexistent within a Local Area Network (LAN), but this ping tool generates approximately 1.5 GB of Internet Control Message Protocol (ICMP) traffic as it pings more than 17 million IP addresses of internal, non-routable IPv4 address space. The actor pushing Hancitor has displayed consistent patterns of infection activity

The chain of events for recent Hancitor infections is:

Email with link to a malicious page hosted on Google Drive.
Link from a Google Drive page to a URL that returns a malicious Word document.
Enable macros (per instructions in Word document text).
Hancitor DLL is dropped and run using rundll32.exe.
Hancitor generates command and control (C2) traffic.
Hancitor C2 most often leads to Ficker Stealer malware.
Hancitor C2 leads to Cobalt Strike activity in AD environments.
Hancitor-related Cobalt Strike activity can send other files, such as a network ping tool or malware based on the NetSupport Manager Remote Access Tool (RAT).
In rare cases, a Hancitor infection follow-up is seen with Send-Safe spambot malware that turned an infected host into a spambot pushing more Hancitor-based malspam

Impact

  • Information Theft
  • Data Exfiltration

Indicators of Compromise

MD5

  • e29e36e214a7304a0fb7d653783bb0ad

SHA-256

  • 1fd0f358265bd5dbd84c73764f572a761ee51112f87fe911b9616085cc3a38ea
  • bbee3c0d6b671a98e54a19df0ebcca30a4769c424ba0dbec274d5542a036c715
  • 6a3fe567d68e865338ff8cbf4a28259d0232c103fc1e3708d9031743a80da04c
  • c880d0743282bf8c2c340d622992c9dbe1fa4bf84001f23cc3cb74377c5f1d5f
  • 1f3d689e70b06ec584581f235a250aae198c1e88ee4fd0ff83a337735a38e7a4
  • ea262a1870f46ce76c1f6e38bf86de180fd51590c34870e62551d5882710cbfb
  • 3ecd7b0bdc95ae07543347267f5e4ec572150d00829682351cfe6571f3d65b26
  • 9481c36bd2cc5592f5dfde1eb8da1c55d618c42df22b1db8ec28f8b26dbd6a3f

SHA-1

  • 116151e72daaa8bbbad5edfcec520c626c948f01

Remediation

  • Block all threat indicators at your respective controls.
  • Search for IOCs in your environment.
  • Do not enable macros for files downloaded unintentionally.

Reading this advisory was a good start.

Make it a habit.

Rewterz publishes threat advisories ahead of mainstream cybersecurity media, informed by an AI-Native Autonomous SOC that sees regional threat actor activity in real time. Subscribe to receive each new advisory as it publishes, plus a monthly Middle East threat landscape brief drawn from our own SOC telemetry. For teams evaluating their detection coverage, a 30-minute consultation with a senior analyst is also available, at your pace, when you're ready.