Attackers Co-Opted Malware for Data Exfiltration and Ransom, Group-IB Finds
Attackers co-opted the Hancitor malware downloader and recently used it to deliver Cuba ransomware as part of an email spam campaign for data exfiltration and ransom extortion, a new report by security firm Group-IB finds.
Group-IB notes a ransomware gang used Hancitor to help gain access to targeted networks, spreading the malware in malicious email attachments disguised to look like DocuSign notifications. Once a victim’s device was compromised, the campaign operators then used Cuba ransomware’s dedicated data leak site to publish the exfiltrated data if its ransom demands were not met.
It’s unclear when the campaign began or who the victims are. But as of late April, Group-IB researchers noted the site had listed data of nine companies, primarily from aviation, financial, education and manufacturing industries in the U.S. and Europe.
Although Hancitor has been active since 2013, the strain remained largely inactive in recent years. With the latest campaign, the malware has resurfaced and appears to have been used in the practice of “big game hunting,” in which hackers hunt down larger targets in an attempt to obtain larger payouts.
The campaign began with the attackers sending a malicious email with the fake DocuSign notification. The victims were then tricked to click ‘enable’ to view the document. When the content was enabled, Hancitor downloaded the payload from the attacker’s server.
The malware downloader then deployed Ficker Stealer to extract data from various web browsers, mail clients and cryptocurrency wallets. The malware also downloaded Cobalt Strike components for credential dumping, lateral movement and network scanning capabilities.
The researchers further note that Cuba ransomware samples used by the attackers appear less sophisticated than earlier versions, with the hackers leveraging common techniques in their operations. “Despite this, their attacks are still quite effective and affective,” the researchers say.
Organizations targeted by the campaign should review MITRE ATT&CK mapping and a corresponding mitigations list, Group-IB recommends.
Attackers have used Hancitor downloader and Cuba ransomware to target several victims in previous campaigns.
For instance, in February, Cuba ransomware hit a Seattle-based billing and payment processing provider used by organizations and government agencies across California and Washington (see: ‘Cuba’ Ransomware Gang Hits Payment Processor, Steals Data).
In 2019, a report by security firm MalwareBytes found hackers were deploying Emotet, Hancitor and Trickbot as part of a malspam campaign (see: Emotet Malware Returns to Work After Holiday Break).
In 2017, two security researchers found that the 2016 energy blackout in Ukraine was initially caused by a spear-phishing attack that deployed Hancitor. The researchers found the hackers used Hancitor to install additional attack code on infected systems and that it had undergone 500 iterations two weeks before it was deployed (see: Ukraine Blackout Redux: Hacking Confirmed).