Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert hunting, research and content.
Defend brute force attacks, active intrusions and unauthorized scans.
Protect assets from ransomware, trojans, rootkits and more.
Intelligence and visibility across AWS, O365, DevOps and more.
Configuration escalations, policy and posture management.
Detects malicious insider behavior leveraging Machine Learning models.
The eSentire Threat Intelligence team is tracking a recently identified campaign delivering Hancitor malware through malicious “HelloFax” emails. This campaign leverages trusted cloud services for delivering malicious Microsoft Word documents to victims. If executed successfully, Hancitor results in the installation of additional malware such as banking trojans.
HelloFax is an online fax service that allows users to send PDF documents as faxes or receive faxes as PDF documents via email.
Hancitor is a downloader that has been known to download and install a variety of other malware including banking trojans and ransomware. Although originally identified in 2014, Hancitor has remained popular amongst threat actors, and is actively maintained and modified.
Beginning on April 19, 2018, eSentire’s Security Operation Centre responded to multiple incidents associated with this threat. Observed emails include a link to one of several compromised domains hosting malicious Word documents on Google Drive. End users that download the file and enable macros will unwittingly be infected by the Hancitor downloader (see figure 1 for example). This is an active campaign; the attacker may institute additional compromised domains to carry out attacks.
When the document macro is executed, it will inject malicious code into a svchost.exe process. The svchost.exe process will then reach out to the Hancitor Command and Control infrastructure to download a secondary payload. Recently observed secondary payloads for Hancitor have included the Pony Trojan and the Zeus Panda Banking Trojan.
[image src="/assets/9edbde9e29/HelloFax-Hancitor-Campaign-figure-1.jpg" id="1226" width="589" height="419" class="center ss-htmleditorfield-file image" title="HelloFax Hancitor Campaign figure 1"]
*eSentire is actively blocking observed Hancitor Command and Control infrastructure.
As the malicious Word documents are hosted using a trusted cloud service (IP 18.104.22.168 and Google Drive), it is not feasible to block these addresses at this time.