Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Emerging Threat on HANCITOR

    • Updated:
    • 28 Sep 2016
    • Product/Version:
    • Deep Discovery Analyzer 5.5
    • Deep Discovery Email Inspector 2.5
    • Deep Security 10.0
    • Deep Security 8.0
    • Deep Security 9.0
    • Deep Security 9.5
    • InterScan Messaging Security Virtual Appliance 8.2
    • InterScan Messaging Security Virtual Appliance 8.5
    • InterScan Messaging Security Virtual Appliance 9.0
    • InterScan Messaging Security Virtual Appliance 9.1
    • InterScan Web Security Virtual Appliance 5.6
    • InterScan Web Security Virtual Appliance 6.0
    • OfficeScan 10.6
    • OfficeScan 11.0
    • ScanMail for Exchange 8.0 2000/2003/2007
    • ScanMail for Lotus Domino 5.0 AIX
    • ScanMail for Lotus Domino 5.0 Windows
    • ScanMail for Lotus Domino 5.0 zLinux
    • Worry-Free Business Security Standard/Advanced 8.0
    • Platform:
    • N/A N/A
Summary

HANCITOR  is a 2013 malware that re-emerged this year with new tricks up its sleeve. This Trojan malware targets windows platform and distributes PONY and VAWTRAK with significant updates and increased functionality. Some of the notable changes are the network communication protocol used and the ability to download and execute a DLL module. It affects the Americas, Europe and APAC regions and is mostly seen in the USA.

HANCITOR Infection Chain

Click image to enlarge

Antispam Pattern

LAYERDETAILPATTERN VERSIONRelease Date
EXPOSURESpam mailsAS 23605/30/2016

VSAPI Pattern (Malicious File Detection)

LAYERDETECTIONPATTERN VERSIONRelease Date
INFECTIONTROJ_HANCITOR.SMQOPR 12.5976/18/2016
INFECTIONW2KM_HANCITOR.SMJLOPR 12.6196/29/2016
INFECTIONW2KM_HANCITOR.SMCOPR 12.6237/1/2016
INFECTIONW2KM_HANCITOR.SMJOOPR 12.6397/9/2016
INFECTIONW2KM_HANCITOR.SMJMOPR 12.6397/9/2016

WRS Pattern (Malicious URL and Classification)

LAYERURLRATINGRelease Date
CLEAN-UPsulacunle{blocked}.com/sl/gate.phpC&C6/1/2016
CLEAN-UPwilbisithad{blocked}.ru/sl/gate.phpC&C6/1/2016
CLEAN-UPreblodidnci{blocked}.ru/sl/gate.phpC&C6/1/2016
CLEAN-UPmykidspb{blocked}.ru/system/logs/inst2.exeDisease Vector6/1/2016
CLEAN-UPbf-boilies{blocked}.by/system/logs/pm.dllVirus Accomplice6/1/2016

AEGIS Pattern (Behavior Monitoring Pattern)

LAYERDETECTIONPATTERN VERSIONRelease Date
DYNAMIC1999QOPR 15879/22/2016
DYNAMIC4189TOPR 15879/22/2016

DCT Pattern (System Clean Pattern)

LAYERDETECTIONPATTERN VERSIONRelease Date
CLEAN-UPTSC_GENCLEANlatest DCT OPRBuilt-in

Network Pattern

LAYERDETECTIONPATTERN VERSIONRelease Date
CLEAN-UPHTTP_HANCITOR_REQUEST1.10169.006/21/2016
 
Make sure to always use the latest pattern available to detect the old and new variants of HANCITOR.
Details
Public

Solution Map

Major ProductsVersionsVirus PatternBehavior MonitoringWeb ReputationDCT PatternAntispam PatternNetwork Pattern
OfficeScan10.6 and above







Update Pattern via web console


Update Pattern via web console









Enable Web Reputation Service*


Update Pattern via web console

Not Applicable
Update Pattern via web console
Worry Free Business SuiteStandard

Not Applicable
Advanced/MSA
Update Pattern via web console
Hosted
Deep Security8.0 and above





Not Applicable
Update Pattern via web consoleNot ApplicableUpdate Pattern via web console
ScanMailSMEX 10 and later




Not Applicable


Update Pattern via web console



Not Applicable
SMD 5 and later
InterScan MessagingIMSVA 8.0 and above
InterScan WebIWSVA 6.0 and later
Deep DiscoveryDDI 3.0 and later

Not Applicable

Update Pattern via web console
DDAN
DDEI
 
Refer to the Product Administrator’s Guide on how to enable the Email Reputation or Web Reputation services features.

Recommendations

Threat Report

Premium
Internal
Rating:
Category:
Update; SPEC
Solution Id:
1115383
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.