Security researchers have discovered a new variant of the Hancitor malware that features updated infiltration capabilities. Experts note that there is an active campaign with the malware that is the biggest one since June this year.
Hancitor Is More Dangerous Than Ever
The new variant of the malware features new dropper mechanisms and now possesses advanced obfuscation techniques . A large malicious campaign with Hancitor is currently ongoing. Researchers state that the malware now Trojans such as Vawtrak which proves to be a menacing threat as well.
The updated version uses native API calls inside Visual Basic code to decrypt the embedded malware. Hancitor has been found in malicious Microsoft Word documents.
The criminals have used the standard tactic to lure victims into enabling the rich text content in infected documents which contain the malware. The interesting fact was that Hancitor was found to be in a relationship with both the Visual Basic macro and embedded shell code.
This behavior is different from other threats as the Visual Basic code encrypts the malware and that makes it difficult to detect from security software. Upon calling the macro, the executable code is decoded and then run. The developers have also implemented algorithms that detect the system architecture.
The shell code loads the specific values for the target system and places the malware binaries in the system after several sub-routines of encryption and decryption occur. The binary file is placed in a temporary directory which is then copied to the %SYSTEMROOT%/system32/WinHost.exe location.
This distribution method is very well developed and is a good way of distributing computer threats such as Trojans and ransomware. Most of them possess stealth capabilities by themselves and having them distributed through Hancitor only adds to the risks of infiltration as the combination is hard to detect by contemporary security software to this point.