Kang-Wei Chang
Security Research Engineer
Blog

BreakingPoint Attack Campaign Simulates COVID-19 Phishing Malware Called Hancitor

May 5, 2020 by Kang-Wei Chang

Last month, the Application and Threat Intelligence (ATI) team released a new type of cyberattack called Attack Campaigns. These smart Strikelists allow BreakingPoint users to test devices and networks with packaged attacks that represent every part of a real-world attack kill chain. You can find details about the first Attack Campaigns we’ve released in these blogs:

The ATI-2020-08 Strikepack includes a new Attack Campaign scenario: Hancitor Malware Infection April 2020. This is a very timely Campaign because it uses a phishing attack that includes COVID-19 text. Because of the pandemic, this approach could be more successful than standard phishing campaigns.

The Hancitor Malware Infection April 2020 Campaign simulates a user receiving a phishing email. By clicking the attacker’s link, the user will download and install the malware file. From this point onwards, call-backs to the command and control (C&C) are executed. It is simulating the campaign documented here and it includes four strikes as shown in the following image.

1

1. The malware campaign begins via a phishing email that entices the user to download a malicious VBS file. The first strike, E20-XZ22L, simulates a phishing email that has been seen in the wild during the COVID-19 pandemic. The strike is delivered over the SMTP protocol to represent the email vector and contains COVID-19 Insurance themed material.

2. The second strike, M20-Haff91, simulates network-visible actions if a user has clicked the link in the email. The strike performs an HTTP GET request, resulting in the download of the 'VBS' module over the transport protocol HTTP.

3. The third strike, B20-bje71, simulates the ‘successful’ installation of the ‘VBS’ module, self-extraction and execution of the Hancitor malware by: 

  • Sending an HTTP request for the registration to the C&C server that looks like the following image. The server appears to acknowledge by sending the requesting IP address of the client.

2

  • Host/OS-Version data is then exfiltrated via an HTTP GET request – The server replies with data encoded using a custom algorithm discovered by one of our ATI researchers. The algorithm works like: Base64Encode( XOR ( URL List ) ). This is used for the next phase of the attack in which requests are made.

3

  • The decoded URL list looks like the following after further analysis. There are two arrays that contain 2 payload URLs each.

4

  • The client sends an HTTP POST request – The server then replies with unknown binary data

5

4. The final strike, B20-k4zy1, simulates 2 unknown payload downloads by the victim performing HTTP requests GET /1 and GET /2. The generated traffic appears to be an SSL-based download over a non-standard port (80). But we were not able to determine what is being downloaded because the servers were down at the time of this writing and we were not able to independently confirm/detonate.

  • GET /1 request

6

  • GET /2 request

7

The ATI research team will continue to strive to deliver valuable, timely content of this nature in every release. 

LEVERAGE SUBSCRIPTION SERVICE TO STAY AHEAD OF ATTACKS

Ixia's Application and Threat Intelligence (ATI) Subscription provides daily malware and bi-weekly updates of the latest application protocols and vulnerabilities for use with Ixia test platforms. The ATI Research Center continuously monitors threats as they appear in the wild. Customers of BreakingPoint have now access to attack campaigns for different advanced persistent threats, allowing them to test their currently deployed security controls’ ability to detect or block such attacks.