By Zachary Bailey, Cofense Phishing Defense Center
Chanitor, also known as Hancitor, is a malware that is challenging to detect. The initial infection vector is often through a Google Doc link, which shows a professional-looking template to download a file. Clicking the download button will connect to a PHP endpoint that will run a location check on your computer’s location and redirect you to DocuSign’s website. If you pass the check, a DOC file will drop. Once the user enables Office Macros in the Microsoft Word Document, the embedded DLL will be extracted and run in memory before connecting to Chanitor’s command and control (C2) servers.
The difficulty in analyzing Chanitor is when it decides to not run. It will check to see if it has been run before on the machine or sometimes not even run at all on the first attempt. The DLL also presents fake export functions to hinder manually running the program. As a last resort, you will have to manually extract the configuration to run the DLL, as well as to carve out the DLL itself.
Figure 1: Fake DocuSign Email
In Figure 1 we see the current Chanitor/Hancitor campaign, luring users with phishing emails that spoof DocuSign. These emails typically reference an invoice that needs to be viewed or approved. These emails are crafted to look like legitimate requests, even renaming the sender as “DocuSign Signature Service.” The email footer also describes another way to sign in, directing the recipient to the DocuSign website to enter an access code.
Figure 2: Landing Page for Chanitor
However, if the user is enticed to click on this lure and clicks to see the document, they will be taken to a clean Google Docs template with a random title and a prompt to click on a download link, as seen in Figure 2. As stated before, several checks will be made to verify the user in the target geo-region before a DOC file is dropped. Performing analysis on this file can be difficult given its determination to not run properly; manually extracting and running the embedded DLL is the best way to get the C2s.
Figure 3: Oledump output
The first step in our process is to identify where the DLL is inside the DOCX file. We can use “Oledump.py”, a Python utility seen in Figure 3, to search for all the objects in an Office file. We notice that at stream 16 there is an “O”, meaning that an object has been identified. We can then extract this specific object using the following command:
‘oledump.py 0519_4467026886302.doc -s 16 –decompress -x > output.hex’
All that is left to do is decode the output, and the built-in Linux file command should identify this as a DLL (Figure 4).
Figure 4: Checking file type
In a strange twist, Linux does not recognize this as a DLL. Running the “head” command, we can see why right away.