Despite its relatively small pool of viable targets, the malicious Windows-based downloader Hancitor continues to surface in malspam campaigns that recently have relied heavily on distribution servers set up via fraudulent hosting provider accounts, a new blog post report states.

Researchers at Palo Alto Networks' Unit 42 threat intelligence team reported in a Feb. 7 blog post that they continue to detect several hundred samples of Hancitor per month, typically with large spikes of activity in the middle of the typical Monday-Friday work week. The numbers indicate that adversaries still find the malware to be viable, even though up-to-date versions of Windows would typically catch it, the post states.

Designed to infect computers with secondary malware, especially banking trojans, Hancitor (aka Chanitor or Tordal) historically has been delivered in email spam campaigns featuring either malicious attachments or links to distribution servers hosting malicious Hancitor documents. Some of these webservers have been compromised, but in many recent cases actors have deliberately set them up to host the malware.

"Since early October 2017, these distribution servers have usually been servers set up through fraudulent accounts at hosting providers. In September through November 2017, links from Hancitor malspam occasionally resolved to these domain names without any additional text in the URL," states the blog post, written by researchers Vicky Ray and Brad Duncan.

Moreover, "In recent weeks, links from this malspam have been using a custom encoding to disguise the recipient's email address in the URL." Having the email address in the URL is a way to track victims, the blog post explains.

The researchers further noted that most of the malicious webservers registered with hosting providers are located in the U.S., while the majority of compromised domains are based in Asia, and often owned by small and medium businesses.