Information Security News
Malicious spam (malspam) pushing Hancitor malware (also known as Chanitor or Tordal) changed tactics on Monday 2017-10-16. Instead of pushing Microsoft Word documents with malicious macros, this malspam began pushing Word documents taking advantage of Microsoft's Dynamic Data Exchange (DDE) technique. According to BleepingComputer, attacks using this technique have existed since the early 90s, but DDE has gained notoriety in the past few weeks due to a series of recent reports. (Use a search engine for "DDE attack" or "DDE exploit" to find some results).
Ultimately, these DDE attacks are somewhat less effective than malicious macros, and Microsoft maintains DDE functionality is not a vulnerability. Victims must click through several warnings to get infected from these documents. Otherwise, little has changed for infection characteristics noted in my previous diary covering Hancitor malspam last month. Today's diary examines a wave of Hancitor malspam from Monday, 2017-10-16.
Monday's wave used a DocuSign template we've seen before from Hanictor malspam. Several people on Twitter also saw Monday's malspam, including @cheapbyte, @GossiTheDog, @James_inthe_box, @noottrak, and @Ring0x0. Links from the emails went to newly-registered domains that returned a malicious Word document.
The Word document
I tried a link from the emails in Windows 10 running Office365. As usual, people must ignore various warnings to kick off an infection. First, because the Word document was downloaded from the Internet, I had to enable editing to escape Protected View. Then, I had to click through three dialogue windows to infect my Windows host.
Shown above: Following a link from one of the emails.
Traffic remains the same as last time, except we find an HTTP GET request for a Hancitor (or a Hancitor-related) executable after the document is downloaded. Previously, this initial malware was part of the malicious document macro. However, with this DDE attack, the initial executable is downloaded separately.
Shown above: Traffic from an infection filtered in Wireshark.
Indicators of compromise (IOCs)
Links from the malspam:
Traffic noted during while infecting hosts in my lab:
Artifacts from an infected host:
As mentioned earlier, these DDE attacks are no more effective than malicious macro-based attacks. Each requires victims to click through a series of warnings to get infected. Furthermore, it's relatively easy for system administrators (and the technically inclined) to follow best security practices on their Windows computers. Using Software Restriction Policies (SRP) or AppLocker can easily prevent these types of malspam-based infections from occurring.
Traffic and malware samples for this diary can be found here.
brad [at] malware-traffic-analysis.net