In our most recent research, one of the things that jumped out for our researchers is the clear pattern around the timing of the attacks. As you can see in Figure 1 below, throughout 2017, the Hancitor attacks show clear spikes in their occurrence and these spikes happen during the middle of the week.<\/p>\n
![\"Hancitor_1\"](\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2018\/02\/Hancitor_1.png\")
<\/span><\/div><\/p>\nFigure 1: Timeline of Hancitor campaign activity since January 2017.<\/em><\/p>\n The attackers behind Hancitor aren\u2019t the first to time their spam attacks like this, but it is an effective tactic to try and increase their chances of success, especially when combined with the other innovation that we\u2019ve seen.<\/p>\n <\/p>\n Adapting the Attacks<\/span><\/p>\n In the past, Hancitor was sent as a malicious attachment in a spam email which would then download and install the attackers\u2019 final malware like a banking Trojan. When they would do this, the Hancitor attachment would download and install the final malware from a malicious or compromised site.<\/p>\n But as organizations have gotten more effective at blocking malicious attachments like Hancitor, we\u2019ve seen the attackers behind Hancitor adapt to evade detection and prevention.<\/p>\n They\u2019ve done this by moving the Hancitor malware from being a malicious attachment in spam to itself being a malicious download. The spam the attackers use no long has a malicious attachment but instead a malicious link that downloads the malicious Hancitor attachment.<\/p>\n To do this, they make the spam look like something that requires you to click and download something like and invoice, a message, or a delivery notification. Figure 2 shows one of these that was made to look like an Amazon shipping notice.<\/p>\n Figure 2: Hancitor malspam example from February 2017.<\/em><\/p>\n This means that a Hancitor attack now has two downloads rather than one and what these attackers did around the malicious downloads shows another modern business tactic: globalization.<\/p>\n <\/p>\n Globalizing the Attacks<\/span><\/p>\n Figure 3 below is a map showing where our Unit 42 researchers have found webistes involved in Hancitor attacks.<\/p>\n Figure 3: Hancitor distribution servers globally thus far in 2017<\/em><\/p>\n Table 1 \u2013 Number of Distribution Servers by Country<\/em><\/p>\n <\/p>\n The hot spots in the United States represents distribution servers which are created using fraud based accounts at various hosting providers that are hosting the Hancitor documents while the hotspots in Asia represent legitimate sites for small and medium businesses that have been compromised by the actors behind Hancitor campaign to host the malicious Hancitor documents.<\/p>\n <\/p>\n Conclusion<\/span><\/p>\n Attackers are always making business decisions to optimize their attacks in ways that are most successful and profitable. What is most interesting about Hancitor is the way these decisions so clearly reflect an awareness of business realities (by targeting peak working times) and dividing up the \u201cwork\u201d of their attacks in a way that so clearly mirrors mainstream business decisions around globalizing operations.<\/p>\n In the end, while Hancitor may not be sophisticated, these steps to adapt and stay effective seem to be succeeding. And we expect to continue to see Hancitor be a global threat for the foreseeable future.<\/p>\n <\/p>\n <\/p>\n","protected":false},"excerpt":{"rendered":" Read this Threat Brief to learn how Hancitor threat actors use fundamental business tactics to deliver attacks <\/p>\n","protected":false},"author":287,"featured_media":25785,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[10737],"tags":[1302,5410,2506],"coauthors":[3069],"class_list":["post-61816","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-threat-intelligence","tag-cybercrime","tag-cybercrime-business","tag-hancitor"],"jetpack_featured_media_url":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2017\/03\/Linkedin.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/61816","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/287"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=61816"}],"version-history":[{"count":3,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/61816\/revisions"}],"predecessor-version":[{"id":61828,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/61816\/revisions\/61828"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/25785"}],"wp:attachment":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=61816"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=61816"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=61816"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=61816"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"Hancitor_4\"](\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2018\/02\/Hancitor_4.png\")
<\/span><\/div><\/p>\n![\"Hancitor_7\"](\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2018\/02\/Hancitor_7.png\")
<\/span><\/div><\/p>\n\n\n
\n Country<\/td>\n Number of Distribution servers<\/td>\n<\/tr>\n \n United States<\/td>\n 197<\/td>\n<\/tr>\n \n Japan<\/td>\n 23<\/td>\n<\/tr>\n \n Vietnam<\/td>\n 13<\/td>\n<\/tr>\n \n Singapore<\/td>\n 12<\/td>\n<\/tr>\n \n Russia<\/td>\n 7<\/td>\n<\/tr>\n \n Brazil<\/td>\n 6<\/td>\n<\/tr>\n \n Malaysia<\/td>\n 6<\/td>\n<\/tr>\n \n Hong Kong<\/td>\n 5<\/td>\n<\/tr>\n \n South Africa<\/td>\n 4<\/td>\n<\/tr>\n \n Thailand<\/td>\n 4<\/td>\n<\/tr>\n \n India<\/td>\n 2<\/td>\n<\/tr>\n \n Ireland<\/td>\n 2<\/td>\n<\/tr>\n \n Kazakhstan<\/td>\n 2<\/td>\n<\/tr>\n \n Taiwan<\/td>\n 2<\/td>\n<\/tr>\n \n Turkey<\/td>\n 2<\/td>\n<\/tr>\n \n Ukraine<\/td>\n 2<\/td>\n<\/tr>\n \n Argentina<\/td>\n 1<\/td>\n<\/tr>\n \n Canada<\/td>\n 1<\/td>\n<\/tr>\n \n Germany<\/td>\n 1<\/td>\n<\/tr>\n \n Israel<\/td>\n 1<\/td>\n<\/tr>\n \n Italy<\/td>\n 1<\/td>\n<\/tr>\n \n Netherlands<\/td>\n 1<\/td>\n<\/tr>\n \n Republic of Korea<\/td>\n 1<\/td>\n<\/tr>\n \n Republic of Lithuania<\/td>\n 1<\/td>\n<\/tr>\n \n United Kingdom<\/td>\n 1<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n