Malicious Microsoft VSCode extensions steal passwords, open remote shells

*Content borrowed from bleepingcomputer.com.

Cybercriminals are starting to target Microsoft’s VSCode Marketplace, uploading three malicious Visual Studio extensions that Windows developers downloaded 46,600 times.

According to Check Point, whose analysts discovered the malicious extensions and reported them to Microsoft, the malware enabled the threat actors to steal credentials, system information, and establish a remote shell on the victim’s machine.

The extensions were discovered and reported on May 4, 2023, and they were subsequently removed from the VSCode marketplace on May 14, 2023.

However, any software developers still using the malicious extensions must manually remove them from their systems and run a complete scan to detect any remnants of the infection.

Malicious cases on the VSCode Marketplace

Visual Studio Code (VSC) is a source-code editor published by Microsoft and used by a significant percentage of professional software developers worldwide.

Microsoft also operates an extensions market for the IDE called the VSCode Marketplace, which offers over 50,000 add-ons that extend the application’s functionality and provide more customization options.

The malicious extensions discovered by Check Point researchers are the following:

‘Theme Darcula dark’ – Described as “an attempt to improve Dracula colors consistency on VS Code,” this extension was used to steal basic information about the developer’s system, including hostname, operating system, CPU platform, total memory, and information about the CPU.

While the extension did not contain other malicious activity, it is not typical behavior associated with a theme pack.

This extension had the most circulation by far, downloaded over 45,000 times.

Darcula extension on the VSCode Marketplace
Darcula extension on the VSCode Marketplace (Check Point)

‘python-vscode’ – This extension was downloaded 1,384 times despite its empty description and uploader name of ‘testUseracc1111,’ showcasing that having a good name is enough to garner some interest. 

Analysis of its code showed that it is a C# shell injector that can execute code or commands on the victim’s machine.

Obfuscated C# code injector
Obfuscated C# code injector (Check Point)

‘prettiest java’ – Based on the extension’s name and description, it was likely created to mimic the popular ‘prettier-java‘ code formatting tool.

In reality, it stole saved credentials or authentication tokens from Discord and Discord Canary, Google Chrome, Opera, Brave Browser, and Yandex Browser, which were then sent to the attackers over a Discord webhook.

The extension has had 278 installations.

Searching for local secrets
Searching for local secrets (Check Point)

Check Point also found multiple suspicious extensions, which could not be characterized as malicious with certainty, but demonstrated unsafe behavior, such as fetching code from private repositories or downloading files.

Software repositories come with risk

Software repositories allowing user contributions, such as NPM and PyPi, have proven time and time again to be risky to use as they have become a popular target for threat actors.

While VSCode Marketplace is just starting to be targeted, AquaSec demonstrated in January that it was fairly easy to upload malicious extensions to the VSCode Marketplace and presented some highly suspicious cases. However, they were not able to find any malware.

The cases discovered by Check Point demonstrate that threat actors are now actively attempting to infect Windows developers with malicious submissions, precisely like they do in other software repositories such as the NPM and PyPI.

Users of the VSCode Marketplace, and all user-supported repositories, are advised to only install extensions from trusted publishers with many downloads and community ratings, read user reviews, and always inspect the extension’s source code before installing it.

Related Articles:

The new info-stealing malware operations to watch out for

Facebook disrupts new NodeStealer information-stealing malware

New Atomic macOS info-stealing malware targets 50 crypto wallets

EvilExtractor malware activity spikes in Europe and the U.S.

Typhon info-stealing malware devs upgrade evasion capabilities

Kpot, The info stealer

Kpot, an older information stealer just got a major update and is seen in the wild again. This time Kpot brings zero persistence (meaning its never written to your computer) and instead does all of its attacks in memory before leaving your computer completely. Removing the ability to detect it without Real-time protection.

How it works

Kpot is delivered mainly through malicious email attachments, when opened they request permission to “Enable Editing” and appear to be unreadable without clicking on it. This attack vector, however, provides the attacker with full access to the computer. After the attack vector is used Kpot gets to work extracting as much as it can. First, it sends a message to its C&C server and asks what it should do. The reply can include many possible commands that can be updated in time, at the time of this writing it includes the following.

Browsers (Chrome, Mozilla, Internet Explorer): cookies, passwords, Autofill data, and history are taken and sent back to the C&C server.

Crypto: various cryptocurrency files. This can reveal numerous information regarding credentials, emails, and wallets depending on what the software used stores on the computer.

Discord: A chat interface advertised mainly to gamers: chat history, and user information can be stolen from files on the computer.

Battlenet: A game portal for World of Warcraft, StarCraft, and Diablo among others. Information regarding accounts can be stolen this way leading to compromised accounts without further fail safes such as 2-factor authentication.

Screenshots: Kpot can take pictures of what you are currently doing. This could be done when it recognizes open bank windows or other compromising information that may not be stored on your computer but are visible on the screen.

Windows credentials: Kpot can steal your windows account information such as username and password.

Grabber: A more advanced version than Qulab uses, Kpot uses its grabber to find any files that may have information but are not connected to an application. An example would be “passwords.txt” on the computer. Note that it does not focus on the naming and instead goes for taking any files ending in certain letters, such as txt, pdf, and doc to name a few.

Delete: Kpot uses this command to delete itself from the computer and any other evidence it might have been there.

Who is affected?

One of the scary things about Kpot is that is very affordable on the dark web. Coming in at only $100 with support optional it no longer takes a master hacker to obtain an information stealer that they can then use in a variety of ways. These could be slipped into downloads from illegitimate sources or used in malspam campaigns.

Indicators of Compromise

What you can do


If you or someone you know is infected with Kpot malware download SUPERAntiSpyware Professional right now and get a 14 day free trial, no credit card required.  SUPERAntiSpyware is easy to install and will detect and remove Kpot from any Windows computer. If you are a Computer Technician, you may like to try our SUPERAntiSpyware Tech Edition solution, now free for the next 30 days. Use Tech04 as the Tech ID.  Click here: https://www.superantispyware.com/technician-download.html

https://www.proofpoint.com/us/threat-insight/post/new-kpot-v20-stealer-brings-zero-persistence-and-memory-features-silently-steal

New cross platform rootkit: Scranos

Scranos is a new player to the global malware scene that leverages many well-known and some new methods to obtain login credentials and bank information. It can also steal or manipulate information from several online accounts to access your Amazon, Airbnb, Facebook, Steam, and YouTube accounts.

How it works

Scranos is installed through various methods, including:

  • cracked software
  • pirated videos and movies
  • legal alternative software such as e-book readers, video players, driver updaters, and fake antimalware products

When installed, Scranos installs a rootkit driver that ensures it remains on the computer unless removed by a legitimate antivirus program.

Once Scranos has gained persistence, it injects another running process with a downloader so that it can download other functionally. When it’s done, Scranos removes All downloaded contentfrom the computer to make it easier to keep itself hidden.

Among the functionality that Scranos downloads is a YouTube module.  This module launches Chrome (and installs it if it’s not already installed), goes to YouTube, mutes it, and subscribes to channels that the attackers use to earn money. Other methods Scranos uses to gain information include:

  • stealing information from various online platforms
  • modules that inject various false advertisement
  • bitcoin miners

In addition, Scranos has capabilities to infect other operating system such as Linux, IOS, and Android. These targets can be installed through phishing attempts from infected users’ Facebook messages.

Who is affected?

Scranos, due to its infection methods, can affect anyone, even those who do not download illegal software. While Scranos has been active in a testing form in several regions, it has been noticed on a global scale in recent months, indicating that testing may be done, or that they are testing on a larger scale. Either way, Scranos seems to just be getting started, and everyone is at risk.

Indicators of compromise

  1. YouTube or Facebook accounts showing activity during times it was not used
  2. %WINDIR%\System32\<random looking names>
  3. wcrx.exe
  4. Chrome extensions that the user didn’t install
  5. Y2B.EXE
  6. HKCU\Software\@demo
  7. HKLM\Software\Microsoft\@msver1
  8. HKLM\Software\Microsoft\@msver2
  9. HKLM\Software\Microsoft\@o2
  10. HKLM\Software\Microsoft\@o3

What you can do


If you or someone you know is infected with Scranos malware, download SUPERAntiSpyware Professional right now and get a 14-day free trial, no credit card required. SUPERAntiSpyware is easy to install and will detect and remove Scranos from any Windows computer. If you are a Computer Technician, you may like to try our SUPERAntiSpyware Tech Edition solution, now free for the next 30 days. Use Tech04 as the Tech ID.  Click here: https://www.superantispyware.com/technician-download.html

WinRAR Vulnerability

File compression has been an indispensable tool for computer users ever since it was first developed in the late 1980’s. Back then space on relatively small hard drives was at a premium, and compacting files that weren’t currently being used was a great way to free up a few valuable megabytes. These archived files also transferred faster over the slow, newborn internet.

Today there are many varieties of file compression: Zip, Gzip, RAR, 7z to name a few. WinRAR is a utility that allows you to compress/decompress most of the more common compressed file types, and many less-used types.

One of these lesser-used file types is called ACE. Recently a vulnerability has been found in WinRAR that can allow a malicious ACE archive to drop malware onto your system. This flaw has been present in WinRAR for 19 years but was just noticed earlier this year.

They have since patched their software with the release of version 5.70, but unfortunately WinRAR does not automatically check for updates. This means that there are millions of users out there with older versions of the software on their machine just waiting to be attacked.

Social engineering tactics have been used with these malicious archives, with adult photos or mp3s displayed inside them to entice the user to open the compressed file thereby infecting their system. Backdoors seem to be a common payload distributed by this process.

SUPERAntiSpyware can help protect you from many of the malware variants that have been distributed through this method. Along with keeping SUPERAntiSpyware’s definition database up-to-date, we recommend updating WinRAR to version 5.70 just to be safe.

TrickBot

TrickBot is once again making itself known during tax season and attempting to steal your hard-earned money. TrickBot was originally discovered in October of 2016 but has since changed and evolved dramatically into one of the most prolific hacking attacks today.

How it works

Just like Emotet, TrickBot primary spreads by specially designed emails or malspam that attempts to trick the user into clicking or downloading the attachment. The current campaign, as of this writing, is TrickBot’s normal tax season attack:  pretending to be the IRS. In the example below, the link will send you a to a domain that looks official but is slightly misspelled.

Once TrickBot is installed on a computer, it sets up a scheduled task to make sure it has a persistent presence on the computer before starting to steal information. In addition, it disables Windows Defender early on so that it won’t be removed. SUPERAntiSpyware is not stopped in this way.

TrickBot does not show any signs of running on a user’s computer and the only “noise” it makes is the network traffic it creates. Recording network traffic is generally only done by businesses, which helps TrickBot evade detection on personal computers.

TrickBot uses a module design, much like Emotet and other bankers.  Not only does this allow TrickBot to quickly change its attack capabilities, but it also makes it harder to detect. These modules often do one thing well rather than trying to do many things. Some are designed to go after hosted ftp servers, cached remote desktop credentials, and bitcoin mining accounts.

The most common module, however, allows TrickBot to redirect the user to fake bank sites that, instead of logging the user in, will steal account credentials. The scammers make this possible by domain squatting, or registering an internet address that is only slightly different than the one you intend to visit. For instance, if you receive an email about your GoDaddy account, you might not notice if a link in that email goes to godabdy.com/payyourbill  (godaddy is misspelled with a b instead of the second d).

This is compounded upon by hiding the URL so only the studious will look for it and by making the site look like you expect through careful recreation by the attackers. Many big companies will attempt to combat this by buying these fake sites and then redirecting them to the appropriate domain, but this is not always easily done.

Who is affected?

TrickBot is aimed more at business than casual users; however, it is still the number-one banker, and anyone who lives inside the USA, Africa, Europe, and Middle East should be wary. (This does not exclude other areas from being hit, just shows that they are not the current target.)

Indicators of Compromise

  1. C:\Documents and Settings\<USER>\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1275210071-920026266-1060284298-1003\8c8436195f6e0875edb85e34665c32ec_fabbc6a1-c573-4ea0-9ca1-50004b35a440
  2. C:\d2cc298a90c6ef939488b53ead12fd3549c3c0414733f6fdaf1762da31ea1e90
  3. sha256:  d2cc298a90c6ef939488b53ead12fd3549c3c0414733f6fdaf1762da31ea1e90       
  4. sha1: df404c6b1efc2cfbfdd0b7699554989dab03791f       
  5. md5: e580ca34929cf9b62e816adcebe715f2
  6. C:\Users\admin\AppData\Roaming\msscsc\e690ca34929cf9b72e917adcebe816f2.exe
  7. d2cc298a90c6ef939488b53ead12fd3549c3c0414733f6fdaf1762da31ea1e90         
  8. http://ip.anysrc.net/plain/clientip           
  9. Scheduled Task that points to a file in AppData such as C:\Users\<User>\AppData\Roaming\

What you can do


If you or someone you know is infected with TrickBot malware, download SUPERAntiSpyware Professional right now and get a 14 day free trial, no credit card required.  SUPERAntiSpyware is easy to install and will detect and remove TrickBot from any Windows computer. If you are a Computer Technician, you may like to try our SUPERAntiSpyware Tech Edition solution, now free for the next 30 days. Use Tech04 as the Tech ID.  Click here: https://www.superantispyware.com/technician-download.html

Anatova

Anatova is the nickname given to a new brand of sophisticated ransomware that looks to encrypt your personal or business files and then demands payment to decipher them.

How it works

Anatova is distributed through peer-to-peer (P2P) file sharing networks. It masquerades as genuine software, often using real icons to fool users into believing it is authentic. Once you run the malicious software, it begins to encrypt your personal documents, after which it will demand you send payment to regain access to your files.

This can be extremely hazardous for larger organizations, since Anatova can affect files across local networks. This ransomware is designed to encrypt your files quickly to avoid detection. It fully encrypts files that are less than 1 Megabyte, and encrypts only a single Megabyte of files larger than that. Even though the larger files are not completely encrypted, enough damage has been done that they are, most likely, no longer usable.

Another fascinating thing about Anatova is its resistance to analysis. It encrypts most of its internal strings, cleans its own data out of memory, causes bugs in common analysis programs, and stops execution if it detects that it is in a virtual or test environment.

One of the most dangerous aspects of Anatova is the fact that it is built to be modular. This means that it was designed to have new features added to it at any time. Instead of just encrypting your files, future versions of Anatova could steal your personal info and passwords, add your computer to a malicious botnet, or a multitude of other things.

Who is affected

Due to its current distribution method, most people who do not use peer-to-peer file sharing should be safe from this threat. If you do you happen to use P2P file sharing, we strongly suggest you scan every file you download before opening it, both with SUPERAntiSpyware and VirusTotal.

The majority of Anatova detections have been in the United States, although infections have been seen across Europe as well. This malware checks your system language and refuses to run in several countries such as Iraq, India, and the Commonwealth of Independent States.

Indicators of compromise

Generally one of the biggest indicators of a ransomware attack is the changed extensions on the encrypted files. This ransomware, however, does not alter the file extensions, which makes casual detection of an Anatova infection more difficult.

A better indicator is the ransom note that this malware leaves behind. Anatova will drop a text file into each folder where it has encrypted a file. This text file gives instructions on how to pay the ransom to get your files unlocked:

All your files are crypted. Only us can decrypt your files, you need to pay 10 DASH in the address:

XnzvWQKv22uPDCYcuGebyoaVinekkJicbK

After the payment send us the address used to make the payment to one of these mail addresses:

anatova2@tutanota.com

anatoday@tutanota.com

Later wait for our reply with your decryptor. If you want to send us ONE JPG FILE ONLY max 200kb to decrypt per free before of payment

Don’t try fuck us, in this case you NEVER will recover your files. Nothing personal, only business.

Send this file untouched with your payment or/and free file!

—KEY—

<random key>

—KEY—

What you can do

SUPERAntiSpyware detects many variants of Anatova; however, new versions are being created all the time so make sure to always update to the latest database version. Also, upgrading to Real-Time protection will dramatically increase your level of protection from this threat.

Refraining from using Anatova’s primary infection vector — peer-to-peer file sharing services — should effectively keep your system safe from this infection. As stated before, if you do use P2P file sharing services, you must be extremely careful with what you download. Make sure to scan every file with SUPERAntiSpyware and VirusTotal to ensure it is safe before opening it.

How To Remove Anatova

  1. Using an uninfected system, search the internet for a decryptor for your particular version of Anatova and copy it to a USB drive — I would suggest starting your search with No More Ransom.
  2. Restart the infected computer in Safe Mode with Networking.
  3. Insert the USB drive with the decryptor, copy it to the desktop, then eject and remove the drive.
  4. Run the decryptor.
  5. Assuming the decryptor is successful, update your SUPERAntiSpyware to the latest database version and run a complete scan to remove any traces of Anatova from your system.
  6. If the decryptor does not work, you can take your computer to a data recovery expert.

How To Remove Vidar/GandCrab

Vidar is a relatively new keylogging, data-stealing malware campaign. It is generally distributed through malicious advertisements, a common hacking technique, on less-than-reputable sites such as bit torrent or free video streaming sites. These malvertisements redirect their victims to various exploit kits such as Fallout and GrandSoft, which in turn will infect your machine with various malevolent payloads such as Vidar.

How it works

Vidar is sold or rented as a service to the blackhats. For the low price of $700 they are able to utilize Vidar’s distribution system to spread their own malware. They can even customize it to steal a variety of your sensitive data such as browser history, website logins, credit card numbers, and cryptocurrency wallets.

One of the more common payloads is the ransomware called GandCrab. Ransomware is exactly what it sounds like – it encrypts your files and demands payment in order to decrypt them. SUPERAntiSpyware detects many variants of the GandCrab ransomware. Our researchers are hard at work daily to detect more variants and help combat this threat.

Unfortunately once your system becomes infected with ransomware like GandCrab, there are few options for you. You can either pay the ransom and hope they unlock your files, or you may get lucky and find that a decryptor has been created. Currently there are decryptors for some versions of GandCrab (V1, V4, and V5). It is worth noting that these decryptors, while definitely helpful, do not always work perfectly for all encrypted files. The final option is less appealing – wipe your system and reinstall Windows. The upside is that you should be able to use your computer again without paying. The downside is that you will have lost all your documents.

Our suggestion to protect yourself from ransomware is relatively simple: Back up your files. Being able to restore your important documents from a cloud or local backup is the best way to thwart a ransomware attack. Keeping your system up to date with software patches is also something we recommend to help protect yourself.

Who is affected

Due to the way it is distributed, Vidar does not target individuals or businesses directly. It relies on people clicking on their malicious advertisements. In general, you should avoid clicking ads online, no matter how enticing. Something interesting about GandCrab is that it has been known to check if you have a Russian keyboard layout, and if so it terminates its execution immediately.

Indicators of compromise

Vidar itself is very stealthy, doing its data thievery quickly and silently in the background. It’s very likely that you won’t even know that Vidar has hit you until it drops its payload. Vidar drops some text files onto your system into ProgramData\(random string)\ and ProgramData\(random string)\files\. These files contain passwords and other information that Vidar has stolen. There may also be a zipped file containing copies of these text files.

The most common malware delivered by Vidar has been GandCrab ransomware. Within a minute or so, GandCrab will change your Windows background to something similar to this:

There will be an HTML or text file called (random)-DECRYPT dropped into every folder where files have been encrypted by GandCrab, containing instructions on how to pay the ransom to get your documents back. You will also notice that the encrypted files will have their extension changed to something random instead of the correct extension:

Here is a list of file types that may be targeted for encryption by GandCrab:

.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt

What you can do

SUPERAntiSpyware detects many variants of Vidar, however new versions are being created all the time so make sure to always update to the latest database version. Also, upgrading to Real-Time protection will dramatically increase your level of protection from this threat.

Installing an Ad Blocker on your computer can help stop Vidar at its source, however one of the best practices is to refrain from clicking on any advertisements online.

If your files have been encrypted by GandCrab, you may still be able to decrypt them. Various companies and individuals create ransomware decryptors and release them on the internet. These decryptors are specifically designed to unlock files that were encrypted with a particular version of ransomware, so make sure to note the version of GandCrab when looking for a decryptor – the version we were infected with was 5.0.4. No More Ransom is a repository of most of the decryptors available and is always being updated.

If you are not able to find a decryptor that works, SUPERAntiSpyware suggests that you do not pay the ransom. There is no guarantee that the blackhats will unlock your files once they receive your payment. In 2018 it was reported that paying the ransom actually gets your files decrypted less than 50% of the time. If your data is extremely crucial, we suggest you contact a company who specializes in data recovery services.

HOW TO REMOVE Vidar/GandCrab

  1. Using an uninfected system, search the internet for a decryptor for your particular version of GandCrab and copy it to a USB drive – I would suggest starting with No More Ransom
  2. Restart the infected computer in Safe Mode with Networking
  3. Insert the USB drive with the decryptor, copy it to the desktop, then eject and remove the drive
  4. Run the decryptor
  5. Assuming the decryptor is successful, update your SUPERAntiSpyware to the latest database version and run a complete scan to remove any traces of Vidar from your system
  6. If the decryptor does not work, you can take your computer to a data recovery expert

How to remove Hancitor

Hancitor, also known as Chanitor, is known for dropping its payloads rather than downloading them post-infection, as well as for a unique phishing approach to trick users into downloading and activating Microsoft Word documents with malicious macros.

How it works

Hancitor uses a new template that attempts to fool the user into believing that it is a FedEx tracking number. There is no attachment, however; instead, the tracking number link directs the user to the sjkfishfinders[.]com domain and then downloads the Word document. Once downloaded, the Word file attempts to trick the user into allowing macros, which would trigger code residing inside the file. An example can be seen below:

The lack of an attachment, often seen as a red flag by many users, may lure the user into a false sense of security. It is important to be careful about which links you click: on most modern web browsers, hovering your mouse pointer over the link will tell you where the link will lead to. If you do not know the address, then it is safer to avoid following the link.

When a user enables the macro, rather than download the application from the internet, the application it is instead extracted from inside the document and dropped in the hidden folder \AppData\Local. Before finishing, the script launches the command cmd.exe /c ping localhost -n 100 && C:\Users\admin\AppData\Local\Temp\6.pif. Ping is used to delay the attack to avoid automatic detection by waiting for approximately 100 seconds before running the dropped application 6.pif. 6.pif then reaches out to a C&C server before downloading new malware or running commands.

In addition to 6.pif, another file is dropped at C:\Users\admin\AppData\Local\Temp\6fsdFfa.com. This executable is a banker. Immediately after being run, it reaches out to api.ipify.org, which returns the victim’s public IP address. It then attempts to submit several unique values and the IP address in plain text to a list of infected servers. If the infected servers reply back indicating that they are available to receive the data, the program will  begin compiling all the usernames and passwords it can obtain and submit them to the server.

Other templates have been used by Hancitor in the past, including but not limited to: divorce papers, parking tickets, and FTC claims. As always, its important to have Microsoft Office macros disabled unless required by your job.

Who is affected?

Anyone with an email address can become a target of this spam campaign. While it does not use victims’ email addresses like Emotet does, Hancitor’s unique templates are meant to catch even savvy users off guard, regardless of whether the email is used for work or is a personal email.

Indicators of Compromise

  1. cmd.exe /c ping localhost -n 100 && C:\Users\admin\AppData\Local\Temp\6.pif
  2. sha256: 76b96c8d796cfcebff34d42e65e5a4ab2770fda42ea3c259097ee068660dfcc2                        
  3. md5: 4d4e366b0813148f12fa1a2638c43f72         
  4. C:\Users\admin\AppData\Local\Temp\6fsdFfa.com        
  5. Felighevengna[.]com    
  6. api.ipify.org       
  7. verrestofred[.]ru             
  8. 81.171.7.39        
  9. 54.204.36.156    
  10. 95.169.184.23                    
  11. felighevengna.com/4/forum[.]php          
  12. verrestofred.ru/4/forum[.]php 

What you can do


If you or someone you know is infected with Hancitor malware download SUPERAntiSpyware Professional right now and get a 14-day free trial, no credit card required.  SUPERAntiSpyware is easy to install and will detect and remove Hancitor from any Windows computer.

If you are a Computer Technician, you may like to try our SUPERAntiSpyware Tech Edition solution, now free for the next 30 days. Use Tech04 as the Tech ID.  Click here: https://www.superantispyware.com/technician-download.html

How To Remove Hancitor

  1. Restart the infected computer in safe mode without networking.
  2. Search through the items in the Indicators of infection section above and investigate any files/folders you do not recognize. You can run the file through SUPERAntiSpyware or online through VirusTotal.com to confirm that it is malware.
  3. Delete files and folders that have been confirmed as malware.
  4. Repeat steps 1-3 on all other machines in the network.
  5. Restore all infected computers to normal mode only after confirming the infection is removed.

Definitions

Attack Vector: Is the way the attacker gains access to a target. The most common of these are malicious emails but many more exist and are discovered all the time.

BackDoor: Is a bypass allowing a Malicious user to connect to the target machine without permission from the target. These can be in the form of default username and passwords baked into the machine or a malicious download that opened a connection for the malicious user.

BlackHat: Is a term referring to a hacker who hacks for personal gain. The term refers to the old western movies where the good guy would wear a white hat and the bad guys would wear a Blackhat.

Banker: Refers to a malicious file that attempts to steal bank information from the user.

Command and Control: refers to code under a attackers control that listens for messages and replies with commands for the malware to execute. For example, a piece of malware infects a windows computer and detects that the user uses chrome but not firefox. It messages its C&C asking what it should do and the C&C decides that it should only run the Chrome information stealer command rather than execute all of its commands. After the malware sends the information it gathered back to the C&C server.

Domain squatting/cybersquatting: refers to holding or squatting on a misspelled or visually similar web address to trick victims into visiting and trusting the site.

Downloader: Refers to a software that Maliciously downloads another file from the internet and then executes it.

Dropper: Refers to a software that has a malicious file residing inside of it which is extracted and then ran.

Keylogger: A piece of software designed to record every key pressed on your keyboard, mostly used to steal your usernames and passwords.

Mal-Spam: (malicious-Spam) is a technique used by attackers where they send out emails pretending to be something you would expect to receive. This is a very common attack.

Phishing: fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising as a trustworthy entity. Normally done over email or instant messaging.

Ransomware: A type of malware which encrypts your files, effectively holding your documents hostage until you pay to get them unlocked.

RootKit: A type of malware that abuses Operating systems trust of certain key often low level aspects so as to gain persistence and become harder to remove.

Supply Chain Attack: A attack Vector involving malicious attackers gaining access to trusted software and injecting there own code inside of it. Allowing them to bypass many security checks.