Kang-Wei Chang
Security Research Engineer

Strikepack ATI-2020-08 Attack Campaigns

May 5, 2020 by Kang-Wei Chang

he ATI Team has started to release a new type of cyberattack during the last month. Attack campaigns, in the BreakingPoint terminology, are smart StrikeLists that will represent every part of a real-world attack kill chain.

The ATI-2020-08 StrikePack includes one new campaign scenario: Hancitor Malware Infection April 2020. This is a very timely campaign because it uses a phishing attack that includes COVID-19 text. Because of the pandemic, this approach could be more successful than standard phishing campaigns. In this case, the Hancitor Malware Infection April 2020 Campaign simulates a user receiving a phishing email. By clicking the attacker’s link, the user will download and install the malware file. From this point onwards call-backs to the command and control (C&C) are executed. It is simulating the campaign documented here


The malware campaign begins via a phishing email that entices the user to download a malicious VBS file. The first strike, E20-XZ22L, simulates a phishing email that has been seen in the wild during the COVID-19 pandemic. The Strike is delivered over the SMTP protocol to represent the email vector and contains COVID-19 Insurance- themed material.

The second Strike, M20-Haacd1, simulates the network-visible actions if a user had clicked the link in the email. The Strike performs an HTTP GET request, resulting in the download of a 'VBS' module over the transport protocol HTTP.

The final strike, B20-bje71, simulates the successful installation of the ‘VBS’ module. First, the client connects to api.ipify.com to get its IP address. 


Finding the IP address

Host/OS-Version data is then exfiltrated via an HTTP GET request. The server replies with data encoded using a custom algorithm discovered by the ATI research team. The encoding scheme is Base64Encode( XOR ( URL List ) ). This is used for the next phase of the attack in which requests are made.


Retrieving the URL list

The decoded URL list looks like the following after further analysis. There are two arrays that contain 2 payload URLs each.


The client sends another HTTP POST request. The server then replies with unknown binary data.


The final strike, B20-k4zy1, simulates 2 unknown payload downloads by the victim performing HTTP requests GET /1 and GET /2. The generated traffic appears to be an SSL-based download over a non-standard port (80). But we were not able to determine what is being downloaded because the servers were down at the time of this writing and we were not able to independently confirm/detonate


GET/1 Request


Get /2 Request

COVID-19 targeted phishing attack is still in the wild as the COVID-19 pandemic continues. One single click leads to critical compromise including malware infection or data exfiltration.

The ATI research team will continue to strive to deliver valuable, timely content of this nature in every release. Please provide us feedback regarding this and other BreakingPoint content! 


Ixia's Application and Threat Intelligence (ATI) Subscription provides daily malware and bi-weekly updates of the latest application protocols and vulnerabilities for use with Ixia test platforms. The ATI Research Center continuously monitors threats as they appear in the wild. Customers of BreakingPoint have now access to attack campaigns for different advanced persistent threats, allowing them to test their currently deployed security controls’ ability to detect or block such attacks.