Overview
Proofpoint researchers have recently observed the re-emergence of two malware downloaders that had largely disappeared for several months. Hancitor (also known as Tordal and Chanitor) and Ruckguv have reappeared in campaigns distributing Pony and Vawtrak with significant updates and increased functionality. We have also been tracking an actor experimenting with various loaders, providing insights into these evolving components of malware ecosystems.
Hancitor Analysis
Starting on April 28, we observed one of the Vawtrak actors (using ID 80, 81, 82) utilizing an updated version of the Hancitor downloader. The last time that we saw this downloader used by one of the Vawtrak affiliates was April 2015, when it was downloading an older version of Vawtrak. We believe this is the same actor now using the updated downloader.
In this case, the Hancitor loader is dropped by a macro in the Microsoft Word email attachment. Hancitor, in turn, downloads a Pony module and Vawtrak.
Figure 1: Example email spreading Vawtrak on April 28th via new loader has subject “FW: debt fax from [company name]” and attachment 175415626.doc (random numbers)
In the year since we last observed the downloader in Proofpoint data, Hancitor has been overhauled and updated. Notable changes and functionality include:
- A rewrite of the network communication protocol
- The ability to download and execute a Pony DLL module (and perhaps any DLL) from within the Hancitor process
Before this update, the Hancitor command-and-control (C&C) check-in (such as with sample MD5: f472c00abef3324460989972362458e1) used a pipe-separated POST data format such as “<GUID>|<BUILD>|<PCINFO>|<IP>”. The updated Hancitor submits similar information to the C&C, but in a different format. Specifically, the new POST data format is “GUID=&BUILD=&INFO=&IP=&TYPE=1&WIN=”.
Figure 2: Example Hancitor C&C check-in
Parameter | Description |
GUID | A 19-digit identifier generated with the UuidCreate Windows API (in early versions of the updated Hancitor) or derived from the output of GetAdaptersAddresses Windows API (latest version seen on May 10). |
BUILD | A hardcoded 4-digit number that appears to represent the software version. These are not updated in sequential order. Observed build numbers include 2804, and 0905 |
INFO | The info shows the computer name, account name, and domain in the “[computer name] @ [domain]\[account]” format |
IP | External IP address of the infected machine, determined from api.ipify[.]org |
TYPE | Hardcoded value set to “1” |
WIN | Windows major and minor versions, followed by the system architecture in the “[major].[minor] ([architecture])” format where architecture is x32 or x64. |
Table 1: Explanation of the parameters submitted to the C&C server by the updated Hancitor
In response to the infected client check-in, the C&C server can respond with a series of JSON-formatted commands for the client to perform, formatted as shown in Figure 2. The meaning of each command is explained in Table 2.
Command | Description |
{r:[URL]} | Download and run an executable from URL |
{u:} | Unimplemented |
{d:} | Terminate malware process and delete backing file |
{l:[URL]} | Download module (DLL) from a URL, write it to current process memory, and execute it |
{n:} | Nothing to do |
Table 2: Commands sent by the C&C server
The ability to download and execute a DLL module from within the Hancitor process is a new function of the updated malware. The DLL is downloaded to heap memory, written directly into the Hancitor process (using VirtualAllocEx and WriteProcessMemory) and executed from there using the CreateThread Windows API. Thus, the module is not written to the disk, and no files or persistence mechanisms are created for it. So far, we have observed only Pony downloaded as a module, but other DLLs could be loaded similarly.
Figure 3: Module DLL written to current process and executed from there
Figure 4: Pseudocode shows Hancitor downloading a DLL module, writing it to current process memory, and executing it
Ruckguv Analysis
On May 4, shortly after the updated Hancitor was first seen downloading Vawtrak, the same actor was observed using a new version of Ruckguv downloader. Before this, the last time that we saw this downloader was in December 2015, loading a Cryptowall payload. Similar to the updated Hancitor, the updated Ruckguv was dropped by a macro in the Word document. Ruckguv, in turn, downloaded a Pony module and Vawtrak.
Figure 5: Example email spreading Vawtrak on May 4th via new loader has subject “FW: [company website] irs notification” and attachment irs_468718228.doc (random numbers)
Since we last saw the downloader in Proofpoint data, Ruckguv has also been overhauled and updated. Notable changes and new malware features include:
- Payload URLs are no longer encoded with ROT13
- Downloaded payload is written to the system with one possible file name instead of three
- More robust download code, instead of simply calling the URLDownloadToFileA API
- The ability to download and run a Pony DLL as a module
The old version of Ruckguv (for example, MD5: 1c319670a717305f7373c8529092f8c3) encoded its payload URLs stored in the malware binary with ROT13, and decoded them at run-time. This is no longer the case; but other strings, such as DLL names used by the malware are now ROT13-encoded instead.
The downloaded payload is now written to the %APPDATA%\csrss_[volume_serial].exe file, where volume_serial is an eight-character string is generated with GetVolumeInformationA. Previously, the payload was also written to the %APPDATA% folder, but with one of three possible filenames, including csrss_nn.exe, WindowsDriver_nn.exe, or Frifox_nn.exe, where nn was a random two-digit number.
Figure 6: Code snippet showing filename generation for the downloaded payload
The old version of the malware simply downloaded the payload with the URLDownloadToFileA Windows API, which “downloads bits from the Internet and saves them to a file.” The new version reworked that functionality to instead use the InternetOpen, InternetOpenUrl, CreateFile, and WriteFile functions. The use of these functions allows for further customization, such as setting the User-Agent to “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”. Additionally the downloaded file size is now checked; if it is less than 2,000 bytes, it is considered a failed download and the loader attempts an alternative download location. This check may incidentally or intentionally help against white hat hackers that may alter/neuter the malware payload sites, such as those described in the “STUPID LOCKY” incident [2].
Figure 7: Code snippet showing the attempt to download the payload from an initial location, followed by a download file size check
Finally, the updated Ruckguv added the ability to download and run a DLL (we have only observed Pony DLL being downloaded so far). The DLL is downloaded to the %APPDATA%\wsrv_[volume_serial].dll location. The DLL is encrypted with a 10-byte RC4 key (“NJB#6452^&” in our sample). The DLL file is then read with ReadFile and executed from within the parent Ruckguv process by allocating memory, writing it to the parent process and jumping to its entry point.
Figure 8: Code snippet showing the DLL file name generation and DLL download
Other Loaders and Actor Details
This Vawtrak actor has also been experimenting with H1N1 Loader as the initial payload dropped by macro documents. Like the other loaders discussed, it is used to download a Pony DLL and Vawtrak executable. However, H1N1 can also steal credentials. H1N1 also received updates recently, which are discussed on the KernelMode forums [1].
The Vawtrak botnets IDs described here (80, 81, and 82) target primarily U.S. financial organizations with their injects, although a few Canadian and UK organizations have also been targeted. Previously a typical campaign would consist of only a handful of unique documents and several hundred thousand email messages. Starting in April, the actor started using many unique documents for their campaigns—some days using as many as tens of thousands of documents, likely as an attempt to evade detections. We first observed this Vawtrak variant last September. It’s notable for its modularity (it included a Pony stealer, a debug module, an inject module, and a back connect module).
Vawtrak may also download TinyLoader, which we have previously observed installing AbaddonPOS malware. We have also recently observed Vawtrak downloading the spambot used to send these campaigns (Send-Safe Enterprise Mailer).
Conclusion
Malware loaders often don't receive the same attention as their payload malware. Yet loaders like Hancitor, Ruckguv, Pony, and others are critical parts of the malware ecosystem. Not only are they incorporating increasing functionality on their own, but they also help threat actors evade detection because of their small download size. They also increase actors' flexibility, allowing them to rapidly swap out payloads as campaigns evolve or differentiate payloads by geolocation, IP, or other instructions provided by C&C infrastructure.
And to that end, updates to loaders bear watching for anyone looking to stay ahead of savvy actors.
References
- http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3851
- https://blog.avira.com/im-with-stupid-locky/
Indicators of Compromise (IOC)
IOC | IOC Type | Description |
9b3fa5dc3b340e0df08d26dd53cd3aa83212950b2d41cf1b1e5a6dd1acd0e4df | SHA56 Hash | Document that dropped Hancitor on April 28 |
5ec4ba1a97500e664af6896f4c02846ca6777e671bb600103dc8d49224e38f48 | SHA56 Hash | Hancitor |
b19ec186f59b1f72c768ed2fcd8344d75821e527870b71e8123db96f683f1b68 | SHA56 Hash | Pony (Hancitor module) |
ec9a14f442bbb549388c7a36f8f221fab4f8d3578540ad528f9cb12d35e73fa5 | SHA56 Hash | Vawtrak (Hancitor payload) |
[hxxp://hadfanawass[.]com/sl/gate.php] | URL | Hancitor C2 |
[hxxp://rophenreswi[.]ru/sl/gate.php] | URL | Hancitor C2 |
[hxxp://mihesfitons[.]ru/sl/gate.php] | URL | Hancitor C2 |
[hxxps://krrewiaog3u4npcg[.]onion.to/sl/gate.php] | URL | Hancitor C2 |
[hxxp://quoapps[.]es/pm.dll] | URL | Hancitor downloading Pony |
[hxxp://posturepals[.]es/inst1.exe] | URL | Hancitor downloading Vawtrak |
b1ba251cf4f494a00ff0d64a50004d839928dac816afb81c33af51622baf2c12 | SHA256 Hash | Document that dropped Ruckguv on May 4 |
0b6e868c196c7ad80fac72a7d02159cfa4f72ad657604cd3e5eb03c796df01ba | SHA56 Hash | Ruckguv |
2ccebf5fee30073e849895c6e43f6519017f226281c80177d72febcfbaf1f0d3 | SHA56 Hash | Pony (Ruckguv module) |
9b11304e4362a8fbe2ee91d8e31d7ae5774019aaeef9240c6878da78bdf0bfa9 | SHA56 Hash | Vawtrak (Ruckguv payload) |
[hxxp://logimax[.]net[.]in/ii.exe] | URL | Ruckguv downloading Vawtrak |
[hxxp://tourjacket[.]me/ii.exe] | URL | Ruckguv downloading Vawtrak |
[hxxp://urbanrecreation[.]eu/ii.exe] | URL | Ruckguv downloading Vawtrak |
[hxxp://tantrix[.]com[.]tr/pm.dll] | URL | Ruckguv downloading Pony |
[hxxp://therapeutica[.]com[.]br/pm.dll] | URL | Ruckguv downloading Pony |
[hxxp://therapeutica[.]com[.]br/pm.dll] | URL | Ruckguv downloading Pony |
Select ET Signatures that would fire on such traffic:
2819959 || ETPRO TROJAN Hancitor Dropper Checkin
2819978 || ETPRO TROJAN Tordal/Hancitor/Chanitor
2021997 || ET POLICY External IP Lookup api.ipify.org
2014411 || ET TROJAN Fareit/Pony Downloader Checkin 2
2022225 || ET TROJAN Vawtrak HTTP CnC Beacon
2813060 || ETPRO TROJAN Vawtrak Retrieving Module