- 18.104.22.168 – ledintutat[.]com/ls5/gate.php – Hancitor C2
- 22.214.171.124 – e-kite[.]biz/wp-admin/includes/pm.dll – GET for Pony
- 126.96.36.199 – ledintutat[.]com/zapoy/gate.php – Pony C2
- 188.8.131.52 – geadent[.]ro/wp-admin/inst.exe – GET for Vawtrak
- 184.108.40.206 – SSL Blacklist Malicious SSL Certificate Detected (Vawtrak CnC)
File name: contract_54262.doc
File name: hancitor.dll
File name: pm.dll
File name: BNC967.tmp.exe and DekJanv.exe
The user received this email from firstname.lastname@example.org:
The subject of the email is “legally binding contract” and it contains a .doc file called “contract_54262.doc”. The email is supposedly coming from somebody within Gullixson and Kennedy LLP. The threat actors use social engineering to entice the user into opening up the attachment. You can see that they even threaten legal action if no action is taken within 48 hours.
The user would then open the attachment (contract_54262.doc) and be presented with this:
The user is then social engineered once more as they are told that they must click “Enable Editing” and then “Enable Content”. Once they do that the host makes GET requests for pm.dll and BNC967.tmp.exe.
Here you can see the GET request for pm.dll and then we can see some interesting strings in the TCP stream, including some hard-coded C2s (circled in red):
Here is the GET for the Vawtrak payload:
Here are some pictures of the payload dropped on the system as well as a registry key created for persistence:
Here we can see some Vawtrak C2 traffic via 220.127.116.11 (id-at-commonName=jmfbrtbsmth.com):
I would recommend blocking all the IPs listed at the top of this blog post. Also, I want to give a shout-out to @Techhelplistcom who first uploaded these files to VT. He does great work! You can see a summary of his comments below in red (I’ve included all the additional IOCs he found) or you can click on the hash links above to see them for yourself:
Hancitor in .doc and injected to memory by .doc
Pony Downloaded via Hancitor C2 Instructions:
mesucnufd.com resolves to 18.104.22.168
taryaznl[.]ru resolves to 22.214.171.124
Also, be sure to check out his blog at https://techhelplist.com/spam-list.