Home Cyber Attack New Hancitor Malware Loader Delivers Malware Via Clipboard

New Hancitor Malware Loader Delivers Malware Via Clipboard

by Abeerah Hashim
Konni RAT malware targets Windows via malicious Word files

A new malware dropper has surfaced online targeting users in recent phishing campaigns. Identified as Hancitor, this loader typically drops malware by exploiting the clipboard, possibly, to escape detection.

Hancitor Malware Dropper Exploits Clipboard

According to a recent blog post, researchers from the McAfee Labs have found a new malware-as-a-service “Hancitor” executing phishing campaigns.

As elaborated, Hancitor uses the Windows clipboard Selection.Copy method to drop malware in target systems.

Briefly, the attack begins when a victim receives a DocuSign-themed phishing email with a link to the malicious document. Clicking on the link downloads the malicious Word file on the system. Opening this attachment won’t do anything right away due to the default app configuration that disables Macros. However, enabling Macros then allows the embedded malware to execute while exploiting Windows clipboard.

To ensure successful attack, the attackers even lure the victims into enabling Macros by pasting instructional images in the document.

Describing what happens next, the researchers stated,

As soon as the victim enables editing, malicious macros are executed via the Document_Open function.
There is an OLE object embedded in the Doc file…
The loader VBA function, invoked by document_open, calls this random function (Figure 6), which moves the selection cursor to the exact location of the OLE object using the selection methods (.MoveDown, .MoveRight, .MoveTypeBackspace). Using the Selection.Copy method, it will copy the selected OLE object to the clipboard.

Now, the dropped malware resides in the %temp% folder as a document file, a rather unconventional technique. This document then further drops the subsequent Hancitor payload as a DLL for final execution.

The researchers have noticed Hancitor typically serving like a “Malware-as-a-Service” as it distributes different malware in various campaigns. Some of these include FickerStealer, Pony, CobaltStrike, Cuba Ransomware, and more.

Presently, they have found this malware targeting different regions globally, including the USA, China, and India as the primary targets.

Watch Out for Phishing

Since the year-end holidays are approaching, such phishing attacks may increase further. Therefore, all users must remain very careful while checking emails. Ideally, users must avoid opening any emails from unrecognized senders, particularly, those with malicious attachments and links.

Let us know your thoughts in the comments.

You may also like