Hancitor

Hancitor is a malicious software (malware) known for its ability to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once it gains access, Hancitor can steal personal information, disrupt operations, or even hold data hostage for ransom. A significant feature of Hancitor is its capability as a loader, dropping or executing other malicious entities such as Remote Access Trojans (RATs) and different types of ransomware onto victims' networks. Cuba ransomware actors have been reported to use Hancitor as a tool to spread malicious files throughout a victim's network. After gaining initial access, these actors distribute Cuba ransomware on compromised systems through Hancitor. This malware has been linked with other harmful tools like Qbot, and is typically distributed via spam campaigns, often disguised as DocuSign notifications. The group deploys ransomware using a distribution tool of Hancitor that writes a kernel driver to the file system called ApcHelper.sys. Threat actors such as "MAN1" aka "Moskalvzapoe" aka "TA511" are known to utilize Hancitor, especially as major e-crime groups shift from traditional banking trojan operations towards ransom and data theft. The method of Hancitor's payload delivery has evolved over time. In September, FireEye reported a change in the way Hancitor's payload was delivered compared to previous iterations. Recently, there has been an increase in spam distribution linking to Hancitor after a period of reduced activity. The malware authors responsible for Hancitor have developed several capabilities within malicious macros that support malware installation and data theft. For instance, Hancitor samples may use functions like EnumResourceTypesA to interpret and execute shellcode. Furthermore, the malicious document used to deliver the Hancitor executable is often distributed as an email spam attachment.