Hancitor, the information stealer and malware downloader, has been using cookies to prevent URL scraping. Its main goal of using this trick is to spread other malware such as CobaltStrike, Pony, Cuba, FickerStealer, and Zeppelin.
What happened?
Researchers from McAfee Labs have documented a new technique by actors behind Hancitor that prevents crawlers from accessing maldocs used to download the Hancitor payload.
The attack begins with the target receiving an email with a fake DocuSign template that appears to have a link or feedproxy[.]google[.]com, a service that allows users to publish website updates.
However, the link actually directs to a malicious site, which checks the User-Agent of the browser. If it is non-Windows, the victim is redirected to google[.]com.
However, if the victim is using a Windows machine, the malicious site creates a cookie using JavaScript and reloads the site. A code is used to create the cookie.
The code writes the timezone to value ‘n’ and the time offset to UTC in value ‘d’. The cookie header is set for HTTP to GET Request. The values of ‘n’ and ‘d’ change according to the timezone.
Additional insights
The values (‘n’ and ‘d’) could be used to stop further malicious activity or deploy other payloads based on geolocation. After reloading, the site downloads the maldoc after checking that the cookie is present.
The document is designed to lure the victim into enabling macros and consequently downloading Hancitor DLL loaded with Rundll32.
The malware also communicates with its C2 server and deploys an additional payload system. If it is running on a Windows domain, it downloads and then deploys the Cobalt Strike Beacon.
Conclusion
The Hancitor malware has now obtained the ability to send malicious spam emails and deploy Cobalt Strike beacons. Moreover, researchers believe that it is expected to be used in future ransomware attacks. Therefore, organizations should always stay updated with the current threat landscape and keep updating their defenses to stay protected.