Hancitor Malware Spam Spreads Through Word Documents

What Is It?

A recent SANS Internet Storm Center diary entry highlighted a new malicious spam campaign for the Hancitor botnet.

This malware has previously targeted corporates in the tech and bio-tech industry verticals and infrastructure entities.

In this case, a malicious spam email claiming to be an invoice from Advanced Maintenance contains links which if clicked, result in the download of a Word document containing malicious macros. If the end-user allows these macros to run, a malicious executable is extracted and executed.

This malicious executable is capable of downloading other malware, including ransomware and data stealing malware.

How Does It Propagate?

The malware is spread using a spam campaign which needs to convince the user to click on a link in order to download the malicious Word document, open the document and potentially allow macros to execute. As always, end user education is a critical component of securing a corporate environment.

When/How Did BluVector Detect It?

Both the malicious Word document and the extracted executable are identified as malicious by BluVector’s machine learning malware detection engine. Regression testing has shown the Word document would have been detected by BluVector 43 months ago and the executable 35 months ago.

All Threat Reports