Products
Products
Detection
Intelligence
About Cofense
About Cofense
Leadership
Free Tools
Free Tools
Build Resilience
Create Transparency
Speed Response

Welcome to the Cofense Blog

Get the latest information on phishing threats and trends, BEC, ransomware and credential phishing, plus Cofense product updates.

Follow us on Social Media

Extracting Pesky Chanitor DLLs

By Zachary Bailey, Cofense Phishing Defense Center

Chanitor, also known as Hancitor, is a malware that is challenging to detect. The initial infection vector is often through a Google Doc link, which shows a professional-looking template to download a file. Clicking the download button will connect to a PHP endpoint that will run a location check on your computer’s location and redirect you to DocuSign’s website. If you pass the check, a DOC file will drop. Once the user enables Office Macros in the Microsoft Word Document, the embedded DLL will be extracted and run in memory before connecting to Chanitor’s command and control (C2) servers.

The difficulty in analyzing Chanitor is when it decides to not run. It will check to see if it has been run before on the machine or sometimes not even run at all on the first attempt. The DLL also presents fake export functions to hinder manually running the program. As a last resort, you will have to manually extract the configuration to run the DLL, as well as to carve out the DLL itself.

Figure 1: Fake DocuSign Email

In Figure 1 we see the current Chanitor/Hancitor campaign, luring users with phishing emails that spoof DocuSign. These emails typically reference an invoice that needs to be viewed or approved. These emails are crafted to look like legitimate requests, even renaming the sender as “DocuSign Signature Service.” The email footer also describes another way to sign in, directing the recipient to the DocuSign website to enter an access code.

Figure 2: Landing Page for Chanitor

However, if the user is enticed to click on this lure and clicks to see the document, they will be taken to a clean Google Docs template with a random title and a prompt to click on a download link, as seen in Figure 2. As stated before, several checks will be made to verify the user in the target geo-region before a DOC file is dropped. Performing analysis on this file can be difficult given its determination to not run properly; manually extracting and running the embedded DLL is the best way to get the C2s.