S0499 Hancitor
Hancitor is a downloader that has been used by Pony and other information stealing malware.12
| Item | Value |
|---|---|
| ID | S0499 |
| Associated Names | Chanitor |
| Type | MALWARE |
| Version | 1.0 |
| Created | 12 August 2020 |
| Last Modified | 16 October 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Chanitor | 2 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Hancitor has added Registry Run keys to establish persistence.2 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | Hancitor has used PowerShell to execute commands.2 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Hancitor has decoded Base64 encoded URLs to insert a recipient’s name into the filename of the Word document. Hancitor has also extracted executables from ZIP files.12 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Hancitor has deleted files using the VBA kill function.2 |
| enterprise | T1105 | Ingress Tool Transfer | Hancitor has the ability to download additional files from C2.1 |
| enterprise | T1106 | Native API | Hancitor has used CallWindowProc and EnumResourceTypesA to interpret and execute shellcode.2 |
| enterprise | T1027 | Obfuscated Files or Information | Hancitor has used Base64 to encode malicious links. Hancitor has also delivered compressed payloads in ZIP files to victims.12 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | Hancitor has been delivered via phishing emails with malicious attachments.2 |
| enterprise | T1566.002 | Spearphishing Link | Hancitor has been delivered via phishing emails which contained malicious links.1 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.012 | Verclsid | Hancitor has used verclsid.exe to download and execute a malicious script.3 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.001 | Malicious Link | Hancitor has relied upon users clicking on a malicious link delivered through phishing.1 |
| enterprise | T1204.002 | Malicious File | Hancitor has used malicious Microsoft Word documents, sent via email, which prompted the victim to enable macros.2 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | Hancitor has used a macro to check that an ActiveDocument shape object in the lure message is present. If this object is not found, the macro will exit without downloading additional payloads.2 |
References
-
Tom Spring. (2017, January 11). Spammers Revive Hancitor Downloader Campaigns. Retrieved August 13, 2020. ↩↩↩↩↩↩
-
Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020. ↩↩↩↩↩↩↩↩↩↩↩
-
Haag, M., Levan, K. (2017, April 6). Old Phishing Attacks Deploy a New Methodology: Verclsid.exe. Retrieved August 10, 2020. ↩