By Zachary Bailey, Cofense Phishing Defense Center
Chanitor, also known as Hancitor, is a malware that is challenging to detect. The initial infection vector is often through a Google Doc link, which shows a professional-looking template to download a file. Clicking the download button will connect to a PHP endpoint that will run a location check on your computer’s location and redirect you to DocuSign’s website. If you pass the check, a DOC file will drop. Once the user enables Office Macros in the Microsoft Word Document, the embedded DLL will be extracted and run in memory before connecting to Chanitor’s command and control (C2) servers.
The difficulty in analyzing Chanitor is when it decides to not run. It will check to see if it has been run before on the machine or sometimes not even run at all on the first attempt. The DLL also presents fake export functions to hinder manually running the program. As a last resort, you will have to manually extract the configuration to run the DLL, as well as to carve out the DLL itself.
Figure 1: Fake DocuSign Email
In Figure 1 we see the current Chanitor/Hancitor campaign, luring users with phishing emails that spoof DocuSign. These emails typically reference an invoice that needs to be viewed or approved. These emails are crafted to look like legitimate requests, even renaming the sender as “DocuSign Signature Service.” The email footer also describes another way to sign in, directing the recipient to the DocuSign website to enter an access code.
Figure 2: Landing Page for Chanitor
However, if the user is enticed to click on this lure and clicks to see the document, they will be taken to a clean Google Docs template with a random title and a prompt to click on a download link, as seen in Figure 2. As stated before, several checks will be made to verify the user in the target geo-region before a DOC file is dropped. Performing analysis on this file can be difficult given its determination to not run properly; manually extracting and running the embedded DLL is the best way to get the C2s.
Figure 3: Oledump output
The first step in our process is to identify where the DLL is inside the DOCX file. We can use “Oledump.py”, a Python utility seen in Figure 3, to search for all the objects in an Office file. We notice that at stream 16 there is an “O”, meaning that an object has been identified. We can then extract this specific object using the following command:
‘oledump.py 0519_4467026886302.doc -s 16 –decompress -x > output.hex’
All that is left to do is decode the output, and the built-in Linux file command should identify this as a DLL (Figure 4).
Figure 4: Checking file type
In a strange twist, Linux does not recognize this as a DLL. Running the “head” command, we can see why right away.
Figure 5: Top of the DLL file
There are several characters and strings that should not be here, which are in the way of the correct DLL header. Going into a Hex editor, we can manually cut everything up to “4D 5A 90 00”, which is the MZ header.
Figure 6: Corrected header output
In Figure 6, we see running the file command again shows that the DLL is fixed. One last thing we need to do is extract the rundll32 command from the original DOC file. The Chanitor DLL presents several fake exports, so if an analyst uses a utility like CFF Explorer they will not find the correct function. Using the Olevba.py utility, we can use grep, the command-line utility, to search for anything referencing rundll32.
Figure 7: Function to call Rundll32.exe
The first line in the output uses the Shell command to launch rundll32 with the parameter “XBDOAOUFMRH”. Therefore, to recreate this we can type:
‘rundll32.exe fixed.dll XBDOAOUFMRH”
Figure 8: Chanitor C2 traffic caught in memory strings
We see in Figure 8 the DLL launches and persists, unlike when it was running from the DOC file earlier. We can search the strings using Process Hacker for the PHP endpoints that the C2 uses. This gives analysts a foothold for which they can build out additional strategies for dealing with Chanitor, such as creating bash scripts to automatically extract the DLL.
Your security team can also use Cofense Vision to search for the recurring subject line to identify new campaigns. As this Chanitor chase demonstrates, our analysts work tirelessly to keep your organization safe from malware-laden phishing email. We can help your business, too, with solutions that save you time, costly service interruptions and reputational harm while improving your resilience against cyber threats. Contact us to learn more.
Network IOC | IP |
hXXps://docs[.]google[.]com/document/d/e/2PACX-1vSHajW-ET5doMY8qEduk43dTuVRhETL7FSjkQpqfJg2zvU8PimHsRPhrLkbG5ueg8BXz5W2zhQ4BG52/pub | 172.217.2.110 |
hXXp://folstop[.]com/penicilin.php | 77.79.239.202 |
hXXp://hrowedinizoin[.]ru/8/forum.php | 2.56.10.123 |
hXXp://lowermuccon[.]ru/8/forum.php | 95.47.161.162 |
hXXp://thotainizent[.]com/8/forum.php | 45.90.46.59 |