Hancitor > Pony campaign

I’m tracking a Hancitor campaign at the moment.  Hancitor is a fileless malware, injected directly into the memory space of another process via malicious document.

Hancitor maldocs are easily recognizable due to the inclusion of bad song lyrics and/or book quotes in the macros.  The current campaign seems to have started somewhere around the first of the month, and includes the lyrics to “Hurricane,” by Luke Combs.  I have a YARA rule in place to monitor for new samples:

rule hancitor {
meta:
description = "Rule to find new samples of the most recent Hancitor campaign"
author = "@biebsmalwareguy"
strings:
$s0 = "hit me like a hurricane" nocase
$s1 = "whiskey on ice" nocase
$s2 = "We can get there either by train or by airplane" nocase
$s3 = "We usually use a bicycle" nocase
$s4 = "That fat lady over" nocase
$s5 = "He petted the lobster" nocase
$s6 = "You have been the one" nocase
$s7 = "Shared your dreams and shared your bed" nocase
condition: ($s0 and $s1) or ($s2 and $s3) or ($s4 and $s5) or ($s6 and $s7)

That signature should catch any document related to the current campaign, or the two most recent ones.

Samples associated with the current campaign, thus far:

  • efe7cfe0c08265e1a4eed68a1e544ba0e98fff98942e0e55941e1899aba71579
  • f26447d3115c77063264dc0a8dce9c23c5c2daefeb6f047c1430e93fdda8c7da
  • 7ef3892eaa887c7f4234754ecd8adfc9a5d2df9b15bf2ac0df9d8f9a878dee38
  • 56af9db3baee890a85187bec26e539f1e2c8178d803f6e497ef99ae0345b1ecc
  • ef3ba09ebc91933d35345bebc4832ce00590799ae450651be46867f14a7dd593
  • 56af9db3baee890a85187bec26e539f1e2c8178d803f6e497ef99ae0345b1ecc
  • c8a6501f7b25bec8e178a71127f7e0198babad294db044a8806e23061cc7890a
  • 94b872591eeba4db25772f4dccb34a773275dd99062ee1b38f35f9a1625f2482
  • f7a2cb07ce90db61c84761fca548eed241d3acab749a5f37f2bfdf25e16c4fd3
  • ae079ad161c473a383174b2badcc874da7c188f1df48deb8b9ac407b5238cb47
  • ef3ba09ebc91933d35345bebc4832ce00590799ae450651be46867f14a7dd593
  • f26447d3115c77063264dc0a8dce9c23c5c2daefeb6f047c1430e93fdda8c7da
  • 7ef3892eaa887c7f4234754ecd8adfc9a5d2df9b15bf2ac0df9d8f9a878dee38
  • ae079ad161c473a383174b2badcc874da7c188f1df48deb8b9ac407b5238cb47
  • 3ed4cb2d7a8750ba1a5fd6a2d64b504372b143168f8864ccf37589ddeb5f0c8e
  • efe7cfe0c08265e1a4eed68a1e544ba0e98fff98942e0e55941e1899aba71579
  • 0858582ca7d96c7d588cd83f2ef4cb94fcef2e6f70fdb0d022dbceb63a1c9ccc
  • 40a8bb6e3eed57ed7bc802cc29b4e57360aa10c2de01d755f9577f07e10b848b
  • 736d0f4eb040a1bcc72578c565cdf77d33e6d49f37bfde1e9f32daee17e419f3
  • 40a8bb6e3eed57ed7bc802cc29b4e57360aa10c2de01d755f9577f07e10b848b
  • 0858582ca7d96c7d588cd83f2ef4cb94fcef2e6f70fdb0d022dbceb63a1c9ccc
  • 3ed4cb2d7a8750ba1a5fd6a2d64b504372b143168f8864ccf37589ddeb5f0c8e
  • 87a10cc169f9ffd0c75bb9846a99fb477fc4329840964b02349ae44a672729c2

I’ll try to keep up to date on any new discoveries.


Article Link: https://biebermalware.wordpress.com/2017/08/10/hancitor-pony-campaign/