Malicious Hancitor Downloader Receives an Update

Security researchers at FireEye have reported that the malicious Hancitor downloader has been updated again. The latest version of the malware now uses a three-pronged approach to infect users and gain access to – and steal –data.

The Hancitor downloader was first discovered about two years ago, although infections had all but stopped for a number of months until the malware re-emerged in May this year. Now it would appear that the malware has been updated again and has new capabilities. According to FireEye researchers, “These [new] capabilities include leveraging uncommon APIs and obscuring malicious PowerShell commands, tactics that made detection more challenging.”

The malware is primarily being spread by spam email via infected documents that appear to be invoices. Infection occurs via an embedded Office macro. If the user has macros set to run automatically, or if the macros are allowed to run, the Hancitor executable will be downloaded. In addition to infecting the user’s device, the malware also downloads the Pony information stealer and Vawtrak; a banking malware. Pony is capable of stealing information from autocomplete forms as well as passwords stored by web browsers and Microsoft Outlook data.

The three different approaches are used by the Hancitor downloader to infect end users, which distinguish it from other malware spread via malicious macros.

One approach used by the developers of Hancitor is to call an uncommon native Windows API “callWindowProc” which is used to interpret and execute shellcode. Another approach is to use a new API Callback function – EnumResourceTypesA – to interpret and run shellcode.

The third approach uses malicious PowerShell commands. When the end user enables macros after opening the infected document, they also inadvertently permit PowerShell commands to be run. The malware combines different code fragments from the section_header of the image imbedded in the document, which are used to assemble PowerShell commands. According to the researchers, “This technique will evade some basic static methods of detection applied to macros macro forms.”

While embedding code in a document makes it relatively easy for anti-virus solutions to detect, “with Hancitor the code is embedded in the VB that encrypts it in a way that the AV isn’t going to find it.”

In order to prevent infection, administrators should ensure that macros are blocked by Group Policy if they originate from the Internet. If it is not possible to block the use of macros, end users should be warned of the risks of opening macros and told never to enable macros on documents received from unknown senders.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of