krotused.blogg.se - Cobalt strike beacon desktop vnc

12, 2021.ĭocuSign-spoofed emails are not new, nor are they limited to Hancitor. Currently, most waves of emails pushing Hancitor have used a DocuSign theme, and the average wave of Hancitor malspam looks like this one reported on Jan. Emails spoofing DocSign have been reported as early as October 2017, but the group behind Hancitor began more frequent use of DocuSign templates starting in October 2019. Hancitor has historically sent emails spoofing different types of organizations that send notices, faxes or invoices. First Stage: Distributing Malicious Word Documents 5, 2020, this campaign settled into the infection chain of events shown above.

In rare cases, we have also seen a Hancitor infection follow-up with Send-Safe spambot malware that turned an infected host into a spambot pushing more Hancitor-based malspam.Īfter a three-month absence, Hancitor activity resumed on Oct.

Hancitor-related Cobalt Strike activity can send other files, such as a network ping tool or malware based on the NetSupport Manager Remote Access Tool (RAT).

Hancitor C2 leads to Cobalt Strike activity in AD environments.

Hancitor C2 most often leads to Ficker Stealer malware.

Hancitor generates command and control (C2) traffic.

Hancitor DLL is dropped and run using rundll32.exe.

Enable macros (per instructions in Word document text).

Link from a Google Drive page to a URL that returns a malicious Word document.

Email with link to a malicious page hosted on Google Drive.

The chain of events for recent Hancitor infections is: See Figure 1 for a flow chart showing the chain of events. 5, 2020, the actor pushing Hancitor has displayed consistent patterns of infection activity. Chain of Events for Recent Hancitor Infections CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Palo Alto Networks has shared our findings, including file samples and indicators of compromise described in this report, with our fellow Cyber Threat Alliance members. Palo Alto Networks Next-Generation Firewall customers are protected from this threat with a Threat Prevention security subscription.

This blog also contains relatively new indicators noted from this threat actor as of February 2021, and it provides five examples of the associated network ping tool seen in December 2020 and January 2021. This blog reviews examples of recent Hancitor infections within AD environments. To understand how this ping tool is used, we must first understand the chain of events for current Hancitor activity. Normal ping activity is low to nonexistent within a Local Area Network (LAN), but this ping tool generates approximately 1.5 GB of Internet Control Message Protocol (ICMP) traffic as it pings more than 17 million IP addresses of internal, non-routable IPv4 address space. This blog illustrates how the threat actor behind Hancitor uses the network ping tool, so security professionals can better identify and block its use.Īs early as October 2020, Hancitor began utilizing Cobalt Strike and some of these infections utilized a network ping tool to enumerate the infected host’s internal network. In recent months, this actor began using a network ping tool to help enumerate the Active Directory (AD) environment of infected hosts. Approximately three years later, Hancitor remains a threat and has evolved to use tools like Cobalt Strike. In a threat brief from 2018, we noted Hancitor was relatively unsophisticated, but it would remain a threat for years to come. Hancitor is an information stealer and malware downloader used by a threat actor designated as MAN1, Moskalvzapoe or TA511.