Scams targeting the delivery chain have been around for as long as people have ordered merchandise on the internet. They vary mainly in the part of the chain they target and the severity of their goals. Some scams, sent by spammers, simply trick you into visiting a client’s website in the hope that you’ll buy their product. Others, sent by more malicious actors, will financially wipe you off the map. The goal of the current round of delivery-focused malware is to do the latter.
This particular malware (or malspam as some call it) is called, Hancitor. It’s been around for a while but continually updates its tactics. Its current tactics must be working because there has been a spike in infected computers this year, especially in the last few weeks. Hancitor is bad. If released on your computer, it will steal all of your passwords and banking information. If released on a corporate network, it will take whatever it wants.
But all malware has to start somewhere and most malware follows the same, well-trodden path. It all begins with a phishing trip. At this stage, it doesn’t appear the malware is targeting specific individuals, but that could change depending on who controls it. The attack appears to start with randomly sent spam messages that are made to look legitimate. The current version pretends to be a message from UPS but FedEx has been targeted in the recent past. It begins with an email message from “UPS Quantum View” <firstname.lastname@example.org> or from “FedEx” <email@example.com>. Both addresses link to fringe, poorly protected sites which have been compromised, but they are only two examples among hundreds that are controlled by the spam. UPS does have a service for tracking called Quantum View. The subject line for the UPS phishing email is “Delivery stopped for shipment #142384”. The delivery numbers are randomized. For the FedEx scam, the subject will be “FedEx Tracking 715715163815 Notification”, again, with the numbers randomized. The template for both scams is copied from actual templates.
Here are the templates as analyzed by the Malware-Traffic-Analysis.net website.
Clicking ‘here’ as directed, will take the victim to the site shown in the graphic. Attached to that site is a document, the name of which is coded in a base64 string. Notice the odd phrasing and ungrammatical construction of the message which indicates a foreign origin.
But why put the document name in base64 code? This serves two purposes. Base64 encoding sometimes goes undetected by spam filters. Remember that the key goal of all attackers and spammers is to bypass the spam filters and get the malicious email into the victim’s inbox. Getting into the inbox is not as necessary as many think, however, because many people will check their spam folder from time to time and may be attracted by a good subject line. In any event, legitimate marketers try to do much the same thing and there are websites dedicated to getting the marketer’s message into a potential client’s inbox.
If the victim clicks on the link, they will be taken to a compromised website and then offered the ‘opportunity’ to download a document. The base64 code will be decoded once the victim clicks on the link and will produce a document name which includes the email username of the victim.
You can encode information in base64 on a number of online sites. For example, I encoded the fake email address firstname.lastname@example.org into am9lc21pdGhAeWFob28uY29t. With a little manipulation, I could have the malicious website produce a document that said, “UPS Delivery joesmith”. That code would be
If you don’t believe me, copy the code and check it out here. The point is that I can hide the document name until I need it to produce the browser-based message that says something like, “Do you want to open or save UPS Delivery joesmith.doc from (website name)?” Of course, in the original scam, the “UPS Delivery” segment would be hard coded.
FYI, the FedEx message will look like this.
In both cases, accepting the download will present you with an option screen which will look something like this. Hoping you will be frightened into enabling macros.
FireEye found a more creative API that looks like the one below, but in all cases, you will have to enable macros before the malware continues on its mission.
Enabling macros in Word will install Zloader which will connect via the internet to a command and control center and retrieve Zbot malware. Zbot is related to the notorious ZeuS banking trojan. The malware will install itself into the browser as a man-in-the-middle and ‘watch’ for visitations to any banking sites. It will also create fake certificates to make fake sites look legitimate. The malware is not limited to stealing banking information but can be used for all manner of spying and information theft.
How to Avoid Becoming a Victim
There is probably a good reason why your spam filter put an email into the spam folder. Be careful about clicking on any link in such emails and hover the cursor over the link to see the site that it is connected to.
When presented with a document to download, check the website that it is being downloaded from. Notice that it is given in the download option message seen previously.
If a UPS document is linked to a site that seems to have no connection with UPS, such as the impacthealthnow.org example shown above, do not waste your time downloading it. If, however, you have gone so far as to download a Word document, do not use the suggestion to enable macros or editing.
If you end up with Hancitor malware on your computer, it is very difficult to remove. Some suggestions are given here and here but be aware that this malware has the ability to regenerate itself even after an apparent removal.
Zbot/ZeuS malware is considered by many experts to be the most dangerous malware on the internet. Attackers are refining it all the time and using it more and more to spearphish victims with emails that appear to come from valid sources. Take all precautions or some day you may find that you have been financially destroyed or have lost important corporate information. I will update any new attack vectors when I discover them.
Update 9-21-17 New Hancitor Tactic
According to Malware-Traffic Analysis, Hancitor has recently been found phishing with an email disguised as a request for an invoice. It’s not clear if the sender mentioned in the ‘From’ field is known to the victim.
Four security firms have identified the connected site as malicious.