I’m tracking a Hancitor campaign at the moment. Hancitor is a fileless malware, injected directly into the memory space of another process via malicious document.
Hancitor maldocs are easily recognizable due to the inclusion of bad song lyrics and/or book quotes in the macros. The current campaign seems to have started somewhere around the first of the month, and includes the lyrics to “Hurricane,” by Luke Combs. I have a YARA rule in place to monitor for new samples:
rule hancitor {
meta:
description = "Rule to find new samples of the most recent Hancitor campaign"
author = "@biebsmalwareguy"
strings:
$s0 = "hit me like a hurricane" nocase
$s1 = "whiskey on ice" nocase
$s2 = "We can get there either by train or by airplane" nocase
$s3 = "We usually use a bicycle" nocase
$s4 = "That fat lady over" nocase
$s5 = "He petted the lobster" nocase
$s6 = "You have been the one" nocase
$s7 = "Shared your dreams and shared your bed" nocase
condition: ($s0 and $s1) or ($s2 and $s3) or ($s4 and $s5) or ($s6 and $s7)
That signature should catch any document related to the current campaign, or the two most recent ones.
Samples associated with the current campaign, thus far:
- efe7cfe0c08265e1a4eed68a1e544ba0e98fff98942e0e55941e1899aba71579
- f26447d3115c77063264dc0a8dce9c23c5c2daefeb6f047c1430e93fdda8c7da
- 7ef3892eaa887c7f4234754ecd8adfc9a5d2df9b15bf2ac0df9d8f9a878dee38
- 56af9db3baee890a85187bec26e539f1e2c8178d803f6e497ef99ae0345b1ecc
- ef3ba09ebc91933d35345bebc4832ce00590799ae450651be46867f14a7dd593
- 56af9db3baee890a85187bec26e539f1e2c8178d803f6e497ef99ae0345b1ecc
- c8a6501f7b25bec8e178a71127f7e0198babad294db044a8806e23061cc7890a
- 94b872591eeba4db25772f4dccb34a773275dd99062ee1b38f35f9a1625f2482
- f7a2cb07ce90db61c84761fca548eed241d3acab749a5f37f2bfdf25e16c4fd3
- ae079ad161c473a383174b2badcc874da7c188f1df48deb8b9ac407b5238cb47
- ef3ba09ebc91933d35345bebc4832ce00590799ae450651be46867f14a7dd593
- f26447d3115c77063264dc0a8dce9c23c5c2daefeb6f047c1430e93fdda8c7da
- 7ef3892eaa887c7f4234754ecd8adfc9a5d2df9b15bf2ac0df9d8f9a878dee38
- ae079ad161c473a383174b2badcc874da7c188f1df48deb8b9ac407b5238cb47
- 3ed4cb2d7a8750ba1a5fd6a2d64b504372b143168f8864ccf37589ddeb5f0c8e
- efe7cfe0c08265e1a4eed68a1e544ba0e98fff98942e0e55941e1899aba71579
- 0858582ca7d96c7d588cd83f2ef4cb94fcef2e6f70fdb0d022dbceb63a1c9ccc
- 40a8bb6e3eed57ed7bc802cc29b4e57360aa10c2de01d755f9577f07e10b848b
- 736d0f4eb040a1bcc72578c565cdf77d33e6d49f37bfde1e9f32daee17e419f3
- 40a8bb6e3eed57ed7bc802cc29b4e57360aa10c2de01d755f9577f07e10b848b
- 0858582ca7d96c7d588cd83f2ef4cb94fcef2e6f70fdb0d022dbceb63a1c9ccc
- 3ed4cb2d7a8750ba1a5fd6a2d64b504372b143168f8864ccf37589ddeb5f0c8e
- 87a10cc169f9ffd0c75bb9846a99fb477fc4329840964b02349ae44a672729c2
I’ll try to keep up to date on any new discoveries.
Article Link: https://biebermalware.wordpress.com/2017/08/10/hancitor-pony-campaign/