{
	"id": "4154530f-a74b-4f1a-ad69-a79f334ac703",
	"created_at": "2026-04-06T00:09:55.226323Z",
	"updated_at": "2026-04-10T03:20:36.789558Z",
	"deleted_at": null,
	"sha1_hash": "75d168dbeae3230c25e7d15a6f8641b3549359ad",
	"title": "Compromised Servers \u0026 Fraud Accounts: Recent Hancitor Attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1193018,
	"plain_text": "Compromised Servers \u0026 Fraud Accounts: Recent Hancitor Attacks\r\nBy Vicky Ray, Brad Duncan\r\nPublished: 2018-02-07 · Archived: 2026-04-05 13:03:32 UTC\r\nUnit 42 has been tracking malicious spam (malspam) pushing Hancitor malware during the past 2 years. Hancitor,\r\nalso known as Chanitor or Tordal, is a macro-based malware spread through Microsoft Office documents\r\ndistributed in malspam campaigns. Hancitor is designed to infect a victim's Microsoft Windows computer with\r\nadditional malware, and the end result is most often a banking Trojan. But the impact of Hancitor malspam is\r\nfairly limited. On a default-configured Windows 10 host, the malware is easily detected by Microsoft's built-in\r\nWindows Defender anti-virus tool. Furthermore, many spam filters catch these emails before they get to their\r\nintended recipients.\r\nWho is Hancitor effective against? An ideal target victim be someone running an outdated version of Windows\r\nlike Windows 7 with anti-virus disabled. Such victims would also click through any warnings they encounter.\r\nApparently, this target demographic is substantial enough that criminals behind Hancitor malspam continue to\r\npush their emails on a frequent basis.\r\nWhile researchers have published many technical reports on Hancitor campaigns, their primary focus has been on\r\nthe malware and its capabilities. But how does this type of attack with a limited base of victims remain profitable?\r\nLittle has been published about how this campaign uses fraud accounts and the compromised infrastructure of\r\nlegitimate businesses. Understanding the playbook used by these criminals is essential to understand why they\r\ncontinue to operate.\r\nWe continue to see several hundred examples of Hancitor malspam every month sent to a wide variety of\r\nrecipients. The image below shows data extracted from our Autofocus threat intelligence platform. It provides\r\nhigh-level visibility on how frequently we've seen Hancitor malspam so far in 2017.\r\nFigure 1: Timeline of Hancitor campaign activity since January 2017.\r\n \r\nAccording to our Autofocus data, we can infer criminals behind this campaign follow a 5-day work week from\r\nMonday through Friday. Spikes in the email activity often occur in the middle of the week. This reflects a general\r\npattern of productivity seen with most people who follow the same type of schedule.\r\nhttps://researchcenter.paloaltonetworks.com/2018/02/unit42-compromised-servers-fraud-accounts-recent-hancitor-attacks/\r\nPage 1 of 9\n\nCampaign History\r\nIn previous years, Hancitor malware was delivered as email attachments in malspam campaigns. Microsoft Word\r\ndocuments from this malspam downloaded other malware like Pony, Vawtrak, and DELoader as depicted in\r\nFigure 2.\r\nFigure 2: Hancitor downloaded as email attachments to targeted victims.\r\n \r\nHancitor Campaign Updates its Playbook\r\nIn the past, criminals have successfully infected victims using email attachments, but email filtering has improved\r\nin recent years. Most current enterprise-level security solutions now include a sharp focus on email attachments\r\nand can easily detect malicious documents and ultimately impact the success rate of the attackers' campaigns.\r\nTo further evade detection, since the end of 2016, actors behind Hancitor have added another step in the infection\r\nprocess. Instead of email attachments, a link in the email points to distribution servers hosting these Hancitor-base\r\ndocuments. Figure 3 outlines current campaign methods used to deliver Hancitor. This campaign continues to use\r\nhttps://researchcenter.paloaltonetworks.com/2018/02/unit42-compromised-servers-fraud-accounts-recent-hancitor-attacks/\r\nPage 2 of 9\n\ndistribution servers, indicating this technique has proven successful.\r\nFigure 3: Current depiction of Hancitor delivery using distribution servers.\r\n \r\nAs shown in Figure 3, malicious Hancitor documents are hosted on compromised webservers located at multiple\r\nregions globally, or they are hosted on fraud-based accounts at various hosting providers. After they establish\r\ndistribution servers for a particular malspam run, the threat actors use botnet hosts to push malspam with a link to\r\nthe Hancitor Word document. This malspam uses several different templates to impersonate legitimate businesses.\r\nThese emails are often disguised as invoices, eFax messages, and UPS or Fedex delivery notifications, to name a\r\nfew examples. If a victim clicks the embedded link, a Hancitor document is sent to the victim's computer. Figure 4\r\nshows an example of the malspam with an embedded URL to download Hancitor in February 2017. This\r\nparticular sample was a faked Amazon shipping notification. Obviously, this did not originate from Amazon: the\r\nhttps://researchcenter.paloaltonetworks.com/2018/02/unit42-compromised-servers-fraud-accounts-recent-hancitor-attacks/\r\nPage 3 of 9\n\nattackers are using Amazon shipping as the plausible decoy.\r\nFigure 4: Hancitor malspam example from February 2017.\r\n \r\nTraditionally, the link from these emails include the victim's email address as part of the URL, sometimes\r\nobfusctated using base64 or other encoding. This is likely an attempt by the Hancitor actors to track the victims\r\nwho would have successfully downloaded the malicious Hancitor sample. Two examples seen earlier this year are:\r\nhxxp://[distribution server domain name]/api/getn.php?id=[base64-encoded string representing recipient's\r\nemail address]\r\nhxxp://[distribution server domain name]/f.php?sik=[recipient's email address in plain text]\r\nWhile investigating the distribution server domains, we found an open directory hosting two text files: visitor.txt\r\nand block.txt (Figure 6.) The visitor.txt file appears to track all downloads of Hancitor Word documents hosted on\r\nthat server. The block.txt file appears to track IP addresses that should be blocked. Many IP addresses in the\r\nblock.txt file resolved to Amazon AWS servers. We suspect this list maybe used to block analysis on automated\r\nsystems run by security vendors and researchers, by not serving content to IP addresses known to be analyzing\r\nhttps://researchcenter.paloaltonetworks.com/2018/02/unit42-compromised-servers-fraud-accounts-recent-hancitor-attacks/\r\nPage 4 of 9\n\nmalware.\r\nFigure 5: Text files on a distribution server hosting Hancitor documents.\r\n \r\nSince early October 2017, these distribution servers have usually been servers set up through fraudulent accounts\r\nat hosting providers. In September through November 2017, links from Hancitor malspam occasionally resolved\r\nhttps://researchcenter.paloaltonetworks.com/2018/02/unit42-compromised-servers-fraud-accounts-recent-hancitor-attacks/\r\nPage 5 of 9\n\nto these domain names without any additional text in the URL. Figure 6 shows one example.\r\nFigure 6: Hancitor malspam example from October 2017.\r\nIn recent weeks, links from this malspam have been using a custom encoding to disguise the recipient's email\r\naddress in the URL.\r\n  Distribution Server Characteristics\r\nGiven how actors behind Hancitor malspam leverage compromised servers, we investigated the numbers and\r\nregions where these servers were compromised. The below heat map provides a high-level overview of the\r\naffected countries. The distribution servers seen throughout the year are located globally. While United States\r\naccounts for a large number of distribution servers, majority of the servers in the United States are from fraudulent\r\naccounts which are hosted at hosting providers. By contrast, the majority of the distribution servers in the rest of\r\nthe countries are from compromised servers belonging to legitimate businesses.\r\nAccording to data from January to September 2017, the majority of compromised domains used for Hancitor-based infections are located in the Asian region. Most compromised servers belong to local businesses in each\r\ncountry. While no specific region appears more vulnerable than others, the domains we've seen so far in 2017\r\nimply that organizations in Asia, especially small and medium sized businesses may be running vulnerable\r\nhttps://researchcenter.paloaltonetworks.com/2018/02/unit42-compromised-servers-fraud-accounts-recent-hancitor-attacks/\r\nPage 6 of 9\n\nservices likely to be exploited by the Hancitor campaign to host associated malware.\r\nFigure 7: Hancitor distribution servers globally thus far in 2017\r\nCountry Number of Distribution servers\r\nUnited States 197\r\nJapan 23\r\nVietnam 13\r\nSingapore 12\r\nRussia 7\r\nBrazil 6\r\nMalaysia 6\r\nHong Kong 5\r\nSouth Africa 4\r\nThailand 4\r\nIndia 2\r\nIreland 2\r\nKazakhstan 2\r\nTaiwan 2\r\nhttps://researchcenter.paloaltonetworks.com/2018/02/unit42-compromised-servers-fraud-accounts-recent-hancitor-attacks/\r\nPage 7 of 9\n\nTurkey 2\r\nUkraine 2\r\nArgentina 1\r\nCanada 1\r\nGermany 1\r\nIsrael 1\r\nItaly 1\r\nNetherlands 1\r\nRepublic of Korea 1\r\nRepublic of Lithuania 1\r\nUnited Kingdom 1\r\nTable 1 – Number of Distribution Servers by Country\r\nAs of December 2017, Hancitor Word documents have most commonly been distributed through fraudulent\r\naccounts at hosting providers. However, during post-infection activity, Hancitor downloads additional malware\r\nfrom additional distribution servers. These post-infection distribution servers are also legitimate websites that have\r\nbeen compromised by this campaign, and this characteristic of Hancitor-based infection traffic has been consistent\r\nsince we started tracking Hancitor.\r\n  Common Services from Compromised Servers\r\nApart from web servers and other related services, almost all compromised domains were running PureFTPd or\r\nProFTPd services. This suggests criminals behind Hancitor malspam may have been targeting servers running\r\nvulnerable versions of FTP applications. However, without any further data, we cannot make any conclusive\r\nstatements.\r\n  Recent Developments\r\nThe Hancitor campaign is still evolving. Unit 42 researcher Brad Duncan recently discussed a wave of Hancitor\r\nmalspam on October 16th 2017, where Word documents from the distribution servers used the DDE attack\r\nmethod. In this case, Hancitor was completely separated from the Word document and downloaded as a separate\r\nmalware binary. This added another distribution server in the infection chain of events.The DDE attack method\r\nspread to other actors for mass-distribution of malware through email. However, by November 2017, Hancitor\r\nresumed using macros in Word documents.\r\n  Conclusion\r\nA key factor to this campaign's longevity the abuse of hosting providers, a situation we have previously reported.\r\nAnother key factor is the availability of vulnerable servers world-wide that criminals can compromise to host their\r\nmalware. These are primary components in the Hancitor malspam playbook. As discussed in this blog post, we've\r\nhttps://researchcenter.paloaltonetworks.com/2018/02/unit42-compromised-servers-fraud-accounts-recent-hancitor-attacks/\r\nPage 8 of 9\n\nseen an evolution in their playbook as criminals behind this campaign have fine-tuned their malware distribution\r\ntechniques.Despite a somewhat limited target base of victims who disregard best security practices an run older\r\nversions of Microsoft Windows, the Hancitor campaign has remained active so far in 2017 with no extended\r\nabsences. This indicates the campaign's current playbook remains cost-effective.We continue to keep a close track\r\nof this activity for further developments. Palo Alto Networks customers are protected from this threat through our\r\nnext-generation security platform.\r\nCurrent samples of Hancitor are marked as Malicious by WildFire and Traps\r\nAutoFocus users can identify samples of this malware using the Hancitor\r\nSource: https://researchcenter.paloaltonetworks.com/2018/02/unit42-compromised-servers-fraud-accounts-recent-hancitor-attacks/\r\nhttps://researchcenter.paloaltonetworks.com/2018/02/unit42-compromised-servers-fraud-accounts-recent-hancitor-attacks/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://researchcenter.paloaltonetworks.com/2018/02/unit42-compromised-servers-fraud-accounts-recent-hancitor-attacks/"
	],
	"report_names": [
		"unit42-compromised-servers-fraud-accounts-recent-hancitor-attacks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434195,
	"ts_updated_at": 1775791236,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/75d168dbeae3230c25e7d15a6f8641b3549359ad.pdf",
		"text": "https://archive.orkl.eu/75d168dbeae3230c25e7d15a6f8641b3549359ad.txt",
		"img": "https://archive.orkl.eu/75d168dbeae3230c25e7d15a6f8641b3549359ad.jpg"
	}
}