Summary
HANCITOR is a 2013 malware that re-emerged this year with new tricks up its sleeve. This Trojan malware targets windows platform and distributes PONY and VAWTRAK with significant updates and increased functionality. Some of the notable changes are the network communication protocol used and the ability to download and execute a DLL module. It affects the Americas, Europe and APAC regions and is mostly seen in the USA.
Click image to enlarge
Antispam Pattern
| LAYER | DETAIL | PATTERN VERSION | Release Date |
|---|---|---|---|
| EXPOSURE | Spam mails | AS 2360 | 5/30/2016 |
VSAPI Pattern (Malicious File Detection)
| LAYER | DETECTION | PATTERN VERSION | Release Date |
|---|---|---|---|
| INFECTION | TROJ_HANCITOR.SMQ | OPR 12.597 | 6/18/2016 |
| INFECTION | W2KM_HANCITOR.SMJL | OPR 12.619 | 6/29/2016 |
| INFECTION | W2KM_HANCITOR.SMC | OPR 12.623 | 7/1/2016 |
| INFECTION | W2KM_HANCITOR.SMJO | OPR 12.639 | 7/9/2016 |
| INFECTION | W2KM_HANCITOR.SMJM | OPR 12.639 | 7/9/2016 |
WRS Pattern (Malicious URL and Classification)
| LAYER | URL | RATING | Release Date |
|---|---|---|---|
| CLEAN-UP | sulacunle{blocked}.com/sl/gate.php | C&C | 6/1/2016 |
| CLEAN-UP | wilbisithad{blocked}.ru/sl/gate.php | C&C | 6/1/2016 |
| CLEAN-UP | reblodidnci{blocked}.ru/sl/gate.php | C&C | 6/1/2016 |
| CLEAN-UP | mykidspb{blocked}.ru/system/logs/inst2.exe | Disease Vector | 6/1/2016 |
| CLEAN-UP | bf-boilies{blocked}.by/system/logs/pm.dll | Virus Accomplice | 6/1/2016 |
AEGIS Pattern (Behavior Monitoring Pattern)
| LAYER | DETECTION | PATTERN VERSION | Release Date |
|---|---|---|---|
| DYNAMIC | 1999Q | OPR 1587 | 9/22/2016 |
| DYNAMIC | 4189T | OPR 1587 | 9/22/2016 |
DCT Pattern (System Clean Pattern)
| LAYER | DETECTION | PATTERN VERSION | Release Date |
|---|---|---|---|
| CLEAN-UP | TSC_GENCLEAN | latest DCT OPR | Built-in |
Network Pattern
| LAYER | DETECTION | PATTERN VERSION | Release Date |
|---|---|---|---|
| CLEAN-UP | HTTP_HANCITOR_REQUEST | 1.10169.00 | 6/21/2016 |
Make sure to always use the latest pattern available to detect the old and new variants of HANCITOR.
Details
Solution Map
| Major Products | Versions | Virus Pattern | Behavior Monitoring | Web Reputation | DCT Pattern | Antispam Pattern | Network Pattern |
|---|---|---|---|---|---|---|---|
| OfficeScan | 10.6 and above | Update Pattern via web console | Update Pattern via web console | Enable Web Reputation Service* | Update Pattern via web console | Not Applicable | Update Pattern via web console |
| Worry Free Business Suite | Standard | Not Applicable | |||||
| Advanced/MSA | Update Pattern via web console | ||||||
| Hosted | |||||||
| Deep Security | 8.0 and above | Not Applicable | Update Pattern via web console | Not Applicable | Update Pattern via web console | ||
| ScanMail | SMEX 10 and later | Not Applicable | Update Pattern via web console | Not Applicable | |||
| SMD 5 and later | |||||||
| InterScan Messaging | IMSVA 8.0 and above | ||||||
| InterScan Web | IWSVA 6.0 and later | ||||||
| Deep Discovery | DDI 3.0 and later | Not Applicable | Update Pattern via web console | ||||
| DDAN | |||||||
| DDEI |
Refer to the Product Administrator’s Guide on how to enable the Email Reputation or Web Reputation services features.
Recommendations
- New-Born URLs handling function in the messaging products of InterScan Messaging Security Suite
- Recommendations on how to best protect your network using Trend Micro products
- Submitting suspicious or undetected virus for file analysis to Technical Support
