Extracting Pesky Chanitor DLLs

By Zachary Bailey, Cofense Phishing Defense Center

Chanitor, also known as Hancitor, is a malware that is challenging to detect. The initial infection vector is often through a Google Doc link, which shows a professional-looking template to download a file. Clicking the download button will connect to a PHP endpoint that will run a location check on your computer’s location and redirect you to DocuSign’s website. If you pass the check, a DOC file will drop. Once the user enables Office Macros in the Microsoft Word Document, the embedded DLL will be extracted and run in memory before connecting to Chanitor’s command and control (C2) servers.

The difficulty in analyzing Chanitor is when it decides to not run. It will check to see if it has been run before on the machine or sometimes not even run at all on the first attempt. The DLL also presents fake export functions to hinder manually running the program. As a last resort, you will have to manually extract the configuration to run the DLL, as well as to carve out the DLL itself.

Figure 1: Fake DocuSign Email

In Figure 1 we see the current Chanitor/Hancitor campaign, luring users with phishing emails that spoof DocuSign. These emails typically reference an invoice that needs to be viewed or approved. These emails are crafted to look like legitimate requests, even renaming the sender as “DocuSign Signature Service.” The email footer also describes another way to sign in, directing the recipient to the DocuSign website to enter an access code.

Figure 2: Landing Page for Chanitor

However, if the user is enticed to click on this lure and clicks to see the document, they will be taken to a clean Google Docs template with a random title and a prompt to click on a download link, as seen in Figure 2. As stated before, several checks will be made to verify the user in the target geo-region before a DOC file is dropped. Performing analysis on this file can be difficult given its determination to not run properly; manually extracting and running the embedded DLL is the best way to get the C2s.

Figure 3: Oledump output

The first step in our process is to identify where the DLL is inside the DOCX file. We can use “Oledump.py”, a Python utility seen in Figure 3, to search for all the objects in an Office file. We notice that at stream 16 there is an “O”, meaning that an object has been identified. We can then extract this specific object using the following command:

‘oledump.py 0519_4467026886302.doc -s 16 –decompress -x > output.hex’

All that is left to do is decode the output, and the built-in Linux file command should identify this as a DLL (Figure 4).

Figure 4: Checking file type

In a strange twist, Linux does not recognize this as a DLL. Running the “head” command, we can see why right away.

Figure 5: Top of the DLL file

There are several characters and strings that should not be here, which are in the way of the correct DLL header. Going into a Hex editor, we can manually cut everything up to “4D 5A 90 00”, which is the MZ header.

Figure 6: Corrected header output

In Figure 6, we see running the file command again shows that the DLL is fixed. One last thing we need to do is extract the rundll32 command from the original DOC file. The Chanitor DLL presents several fake exports, so if an analyst uses a utility like CFF Explorer they will not find the correct function. Using the Olevba.py utility, we can use grep, the command-line utility, to search for anything referencing rundll32.

Figure 7: Function to call Rundll32.exe

The first line in the output uses the Shell command to launch rundll32 with the parameter “XBDOAOUFMRH”. Therefore, to recreate this we can type:

‘rundll32.exe fixed.dll XBDOAOUFMRH”

Figure 8: Chanitor C2 traffic caught in memory strings

We see in Figure 8 the DLL launches and persists, unlike when it was running from the DOC file earlier. We can search the strings using Process Hacker for the PHP endpoints that the C2 uses. This gives analysts a foothold for which they can build out additional strategies for dealing with Chanitor, such as creating bash scripts to automatically extract the DLL.

Your security team can also use Cofense Vision to search for the recurring subject line to identify new campaigns. As this Chanitor chase demonstrates, our analysts work tirelessly to keep your organization safe from malware-laden phishing email. We can help your business, too, with solutions that save you time, costly service interruptions and reputational harm while improving your resilience against cyber threats. Contact us to learn more.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.