What's happening: A new wave of phishing emails is delivering Hancitor, a macro-based downloader malware hidden in Word documents
What Hancitor does:Hancitor attempts to detect and bypass traditional defenses, using an embedded executable and DLL calls to launch and grab additional payloads
Worrying trend:The additional functionality is unusual for macro malware, and could be a sign of advances in features and sophistication to come
Protection:Barkly was able to detect and stop Hancitor on a customer’s machine even though it slipped past the customer's antivirus
Macro-based malware disguised as invoice
Earlier this week, we received an alert from one of our user’s machines that Barkly had stopped a piece of macro-based malware that had slipped by the user's antivirus. The would-be victim had received a phishing email with a Word document disguised as an invoice. When they opened it they received instructions that indicated the document was protected and that in order to read it, “content” (macros) needed to be enabled.
The screenshot below provides a good example of how attackers are getting more clever in their attempts to make their messages and suggestions to enable macros look more legitimate.
Tell your users to scrutinize emailed invoice docs before opening them. If they do open a document and see a screen like this they should close it and report the incident immediately.
By enabling macros, the user inadvertently allowed malware hidden in the Word doc to leverage that functionality to launch an attack.
With Barkly installed, the attack was automatically stopped, but with additional follow-up analysis we were able to identify the malware as Hancitor, a downloader that appears to be experiencing a resurgence (researchers at Proofpoint, Minerva, and Palo Alto have seen a new spike, as well).
The payloads this particular wave of Hancitor is dropping are Pony and Vawtrak (trojans designed to steal confidential information, passwords, and/or credentials), but that can easily change in the near future. It's just as likely the next wave could drop ransomware like Locky or Zepto, or even a new strain of malware that hasn't been widely discovered and analyzed yet.
That's what makes stopping the attack at the downloader stage so beneficial. Because Barkly is able to recognize Hancitor's attempted behavior as malicious, it doesn't matter what the additional payload is. The attack gets stopped at the outset, before the downloader can do its thing.
For security products relying solely on signature-based detection, the only way they can stop it is if the signature of the downloader or the eventual malware payload matches an existing signature that they have on file. In other words, they may be able to stop some Hancitor attacks, but not others. It all comes down to how quickly and comprehensively new signatures are able to be created and implemented (and with hundreds of thousands of malware variants being reported every day, it's a tall order).
With its use of macros, we originally suspected the malware in question was Locky/Zepto/Dridex. That is, until we noticed it doing two things that are fairly uncommon for macro-malware:
Leveraging a 2nd-stage executable payload embedded directly into the Word doc.
The reason that’s unusual is that most malicious macros have a single purpose: call back to a C2 server to download and execute an additional malware payload that has deeper functionality (ex: in the case of ransomware, the executable that actually encrypts your files).
One thing that makes this latest version of Hancitor stand out is that its payload is already bundled as a binary object directly in the Word doc. It’s this payload that pings the C2 server. What it receives are pointers back to two additional binary objects (one executable and one DLL), which it downloads and executes.
Directly loading and executing dynamic linked library (DLL) calls.
In contrast, the majority of macro-based malware we encounter uses higher-level Visual Basic libraries and objects to gain operating system resources.
Translation:This sample of Hancitor uses a more advanced loading process than your average macro malware. It’s designed to do things a little differently in order to actively throw traditional security tools off the scent.
Another notable finding is that the comments in the malware are the lyrics of a pop/reggae song called “Ikone pop kulture” from a Serbian alternative band called S.A.R.S. We found a video for the song on YouTube and it wasn’t a bad listen while tearing apart the sample.
A larger trend?
Although we’re still seeing malware authors reach out for subsequent payload stages, macro-based malware like Hancitor is growing in sophistication from dumb downloaders/droppers to more intelligent, full-featured malware capable of detecting and bypassing traditional security tools.
What you can do to protect yourself
Macro-based malware is extremely prevalent. It usually arrives in large phishing campaigns that can target multiple users in your organization. In addition to sharing this alert, here are four major steps you can take to minimize this threat:
Filtering out malicious emails before they can reach your end users is a good step in theory. Enabling gateway filtering like SPF/DKIM/DMARC will cut down on overall spam and spoofed emails, but it may also cut off some legitimate email providers, so it’s a business decision that may not work for everyone.
Depending on your organization's size/budget, you may want to consider an email gateway/provider that can filter out certain attachments (e.g. Lastline, FireEye, Ironport), or go with a hosted provider that can do it for you (e.g. Google Apps and Microsoft 365 Hosted Exchange).
Centrally log new endpoint events (i.e. new processes) and network events, if possible. Knowing who clicked on what and being able to pin that to a timeline can be valuable during incident response phase. But again, depending on your size/budget this may not be a feasible option. And sometimes with remote workers and BYOD it can also be difficult to implement.
As always, a layered approach is best, but the good news is, with the right tools, education, and processes in place you can protect your organization from this and other attacks.