Hancitor: fileless attack with a DLL copy trick (Mar 13, 2018)
The "Hancitor" downloader is being delivered using a new technique for a fileless attack, according to Malwarebytes Labs researchers. The technique is conducted by copying the "kernel32.dll" library and using it to create a new malicious process, bypassing Ring 3 hook protections. The delivery is accomplished via malspam that prompts the recipient to download a Word document that masquerades as an invoice. The document contains a macro that, if enabled, copies malicious code into memory and creates a timer to execute the payload. The payload copies kernel32.dll into the users' temp folder as "krnl32.dll," and then uses the original kernel32 "LoadLibraryW" call to load it into memory. krnl32.dll is then used to create a new suspended "svchost.exe" process. "Process hollowing" is used to and replace svchost.exe with the malware, which completes the infection with the running malware.
Recommendation: Avoid documents that request Macros to be enabled. All employees should be educated on the risk of opening attachments from unknown senders. Anti-spam and antivirus protection should be implemented and kept up-to-date with the latest version to better ensure security.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.