A report by Unit 42 uncovered recent malicious activity by TA511. The threat actor added Cobalt Strike to its repertoire, which is used in Active Directory environments. Initial foothold of TA511 is achieved through a malicious Word document that drops a Hancitor sample in the form of a DLL file, and executes it using rundll32, a common Living Off the Land technique used in malicious Office files.

The first-stage DLL communicates relevant information to the C&C about the infected device, which then triggers the download of the next payload. The payloads observed by Palo Alto’s researchers are:

  • Ficker Stealer – MaaS Stealer previously covered in our blog.
  • Cobalt Strike – the notorious adversary simulation software commonly abused by threat actors.

The packer employed by the Hancitor sample we analyzed is quite similar to the one used by the Emotet sample described in this blog. Both pieces of malware query the registry key HKEY_CLASSES_ROOT \interface\{aa5b6a80-b834-11d0-932f-00a0c90dcaa9} and will enter an infinite loop if the 4th character in its default key is not the letter ‘t’, this effectively verifies that the key’s value is the Windows default “IActiveScriptParseProcedure32”.


The registry interface name check

Another evasion technique employed by the packer is the use of uncommon Windows APIs with invalid parameters. The malware calls LoadIconA, LoadCursorW and GetEnhMetaFileBits in an inappropriate manner and will self-terminate if the function does not fail in a specific way. Our guess is that this is an anti-emulation technique which relies on a difference of implementation between a real OS and an emulator.


Anti-emulation in Hancitor


Hancitor has evolved and has become more evasive since our 2016 blog post, and considering the vacuum left by Emotet’s demise it is now a prime candidate to fill the gap in the malicious downloaders market. Minerva Prevents both the malicious document and Hancitor’s subsequent payloads:




To learn more about how Minerva Labs helps blocks malicious payloads from Hancitor and other ransomware, contact us for a full demo.