<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p>Hancitor Downloader has seen many campaigns this year. <a href="http://www.malware-traffic-analysis.net/">Malware-Traffic-Analysis</a>, a security research blog operated by <a href="https://researchcenter.paloaltonetworks.com/author/bduncan/" target="_blank">Brad Duncan</a>, has published over <a href="http://www.malware-traffic-analysis.net/2017/index.html" target="_blank">40 </a>related articles since the beginning of 2017. Each article covers <a href="https://dochub.threatstop.com/display/TS/M#M-_malspam">malspam</a>&nbsp;delivering the downloader, with no sign of the campaigns' wavering.</p> <!--more--> <p>In May 2017, <a href="https://trust.docusign.com/en-us/personal-safeguards/">DocuSign</a> reported <a href="https://threatpost.com/docusign-phishing-campaign-includes-hancitor-downloader/125724/">another</a> campaign targeting its customers. These <a href="https://dochub.threatstop.com/display/TS/P#P-_phishing">phishing</a> attempts spoofed DocuSign e-mails, with a hyperlink to a Microsoft Word document containing a malicious macro. The subject line of these emails followed this pattern:</p> <ul> <li><em>"Please review your document Invoice &lt;1234567&gt; for &lt;recipientdomain.com&gt;”</em></li> <li><em>“Completed &lt;company name&gt; – Accounting Invoice &lt;number&gt; Document Ready for Signature”</em></li> </ul> <p>Once downloaded with the macro is enabled, the Hancitor downloader is delivered. Hancitor then downloads either&nbsp;<strong><a href="https://blog.threatstop.com/2016/11/30/dont-pony-up-your-data-to-fareit">Pony</a></strong> or <a href="/zloader/terdot-that-man-in-the-middle"><strong>Zloader </strong></a>malware. The malware operators falsify the emails’ source and imitate Google Docs and Dropbox themes, as shown:</p> <p>&nbsp;</p> <div><img src="https://info.threatstop.com/hubfs/Hancitor%20phishing%20email.png" alt="Hancitor phishing email" style="display: block; margin-left: auto; margin-right: auto;"></div> <p style="text-align: center;">&nbsp;<a href="http://www.malware-traffic-analysis.net/2017/05/25/index.html">http://www.malware-traffic-analysis.net/2017/05/25/index.html</a></p> <p>To add protection against<span>&nbsp;<strong>Hancitor</strong>,&nbsp;</span>we recommend enabling the following targets:</p> <ul> <li>Standard Mode <ul> <li>TS Curated - Core Tier 1 - IPs</li> <li>TS Curated - Botnets Tier 1 - Domains</li> <li>TS Curated - Botnets Tier 1 - IPs</li> </ul> </li> <li>Expert Mode&nbsp;<span>(included in the curated targets for standard mode)</span> <ul> <li>TS Originated - Core Threats - IPs&nbsp;</li> <li>TS Originated - Core Threats - Domains&nbsp;</li> </ul> </li> </ul> <p>If you do not have a ThreatSTOP account,&nbsp;<span>&nbsp;</span>to try a demo.</p> <p>If you do have a ThreatSTOP account, instructions to add targets to<span>&nbsp;</span><a href="http://dochub.threatstop.com/display/TS/ThreatSTOP+DNS+Firewall#ThreatSTOPDNSFirewall-DNSFWPolicy" target="_blank">DNS</a><span>&nbsp;</span>or<span>&nbsp;</span><a href="http://dochub.threatstop.com/display/TS/ThreatSTOP+IP+Firewall" target="_blank">IP</a><span>&nbsp;</span>Defense policies are available on the ThreatSTOP Documentation Hub. Or, contact our&nbsp;<span>&nbsp;</span>team.</p></span>
![ChinaNet IP 14.135.120[.]19 has one heck of a bad reputation](https://www.threatstop.com/hs-fs/hubfs/chinanet_ip_targets.png?width=600&name=chinanet_ip_targets.png)
