Threat Management, Malware, Network Security, Phishing

Evolving Hancitor downloader remains alive and well, relying on malicious hosted servers

Despite its relatively small pool of viable targets, the malicious Windows-based downloader Hancitor continues to surface in malspam campaigns that recently have relied heavily on distribution servers set up via fraudulent hosting provider accounts, a new blog post report states.

Researchers at Palo Alto Networks' Unit 42 threat intelligence team reported in a Feb. 7 blog post that they continue to detect several hundred samples of Hancitor per month, typically with large spikes of activity in the middle of the typical Monday-Friday work week. The numbers indicate that adversaries still find the malware to be viable, even though up-to-date versions of Windows would typically catch it, the post states.

Designed to infect computers with secondary malware, especially banking trojans, Hancitor (aka Chanitor or Tordal) historically has been delivered in email spam campaigns featuring either malicious attachments or links to distribution servers hosting malicious Hancitor documents. Some of these webservers have been compromised, but in many recent cases actors have deliberately set them up to host the malware.

"Since early October 2017, these distribution servers have usually been servers set up through fraudulent accounts at hosting providers. In September through November 2017, links from Hancitor malspam occasionally resolved to these domain names without any additional text in the URL," states the blog post, written by researchers Vicky Ray and Brad Duncan.

Moreover, "In recent weeks, links from this malspam have been using a custom encoding to disguise the recipient's email address in the URL." Having the email address in the URL is a way to track victims, the blog post explains.

The researchers further noted that most of the malicious webservers registered with hosting providers are located in the U.S., while the majority of compromised domains are based in Asia, and often owned by small and medium businesses.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.