Hancitor (AKA CHanitor, Tordal) is a popular macro-based malware distributed via malicious Office documents delivered through malspam. In the latest campaigns, particularly active between October and December 2020, the malware has been distributed via DocuSign-themed emails asking the victims to review and sign a document. The fake DocuSign link downloads a Microsoft Word document whose malicious macro, once enabled, installs the Hancitor malware.
Interestingly the fake DocuSign link points to a file hosted on Google Docs that performs a further redirection (via a Google Open Redirect). The destination is a malicious page that generates the malicious Word document used to deliver Hancitor.
For example, the page below (part of a campaign detected today) redirects to:
Once again, a cloud service is used to make a malicious campaign more evasive. In this case, the link into the initial email points to a legitimate cloud service (Google Docs) that contains the link to the malicious page. This latter link also uses another evasion technique in the Google Open Redirect (the ”https://www.google.com/url?“ in the above link.)
Also, the technique of exploiting a legitimate cloud service for redirection is not new and has been used in recent campaigns with Box, Sharepoint, Google Drive, and Dropbox to deliver malware or serve phishing pages.
How Netskope mitigates this threat
There are multiple stages of the attack chain where the Netskope Next Gen SWG can mitigate this threat.
- It is possible to block the access (and in general enforce granular controls) to dozens of non-corporate cloud storage services (including personal instances of corporate services or non-corporate instances abused by the attackers).
- The second redirection can be prevented by the content filtering engine that offers 16 granular security risk categories including phishing and malware distribution.
- The download of a malicious document can be prevented by the Threat Protection Engine that provides an ML-based Office Scanner for malicious documents.