![]() Some of the notable lack of development and adjustment includes its reliance on ANSI API calls as well as unsophisticated WriteProcessMemeory injection method, modified %TEMP% run method with joined function on CreateProcessA rather than as a separate function, absence of Winhost32.exe check logic and its derivative functions, additional error check on CreateProcessA and exception handling, improved parser function before WriteProcessMemory injection, joined injection function, no deletion logic, different initial and entry function. I will utilize the malware sample from this article to compare against one of the latest Hancitor variants (h/t to for the latest sample). Additionally, I recommend reading blog titled “ Hancitor Panel Overview” to learn more about the Hancitor panel.īy and large, while the group behind the malware is rather experienced and persistent, the Hancitor dropper remains to be a simple and unsophisticated dropper and loader type of malware that comes with little development from 2016. I highly recommend reading this article on Hancitor titled “ A Closer Look At Hancitor” written by Nick Hoffman and Jeremy Humble. One of the most interesting malware analysis revolves around source code-level analysis malware development progression in time. The group behind Hancitor distribution campaigns remains to be one of the more resourceful and sophisticated cybercrime loader-as-a-service group delivering various payloads – ranging from simple credential stealer malware to point-of-sale and banking malware variants (from Pony Stealer, EvilPony Stealer, AZORult Stealer to Neverquest Banker, Panda Banker, Gozi ISFB Banker, and Danabot Banker). Unpacked Hancitor Dropper & Loader 32-Bit (x86) Original Packed Hancitor Loader 32-Bit (x86) ) or ( $ldap_gc_pos_queryportion and 5 of ( $s *) )Īuthor vkremez Posted on NovemNovemTags cybecriminal, cyber security, reverse engineering Leave a comment on Let’s Learn: Introducing Latest TrickBot Point-of-Sale Finder Module Let’s Learn: In-Depth Reversing of Hancitor Dropper/Loader: 2016 vs 2018 Malware Progression ![]() $s7 = "(&(objectCategory=person)(sAMAccountName=%s))" fullword wide $s1 = "Dpost servers unavailable" fullword ascii The module queries for DOMAIN Global Catalog the following accesses:Īuthor = "Detects TrickBot Point-of-Sale Finder Module" “GC:” uses the LDAP provider to bind to the Global Catalog service to execute queries. The LDAP binding string takes the following form of “GC://” binding to the root of the namespace. LDAP provider is used to access Active Directory Domain Services. To learn more about specific access ADsOpenObject and IADsContainer interface, please refer to the DomainGrabber post. This Trickbot module was programmed leveraging Active Directory Service Interfaces (ADSI) APIs to search LDAP for objects possibly linked to point of sale related services, software, and machines. By and large, the pseudo source-code analysis reveals the new module heavily borrows from the earlier DomainGrabber code and was likely coded by the same developer(s). During pseudo source-code level analysis, it is revealed that the code contains 6 partial function matches (including perfect match and strongly connected components), 17 unreliable function matches (including same MD index and constants, strongly connected components, similar small pseudo-code, strongly connected components small-primes-product, and loop count). The latest module consists visually a lot of similarity to their previous DomainGrabber module. The question is: What point-of-sale malware would the group behind TrickBot deploy on identified machines of interest, and/or would they auction this access to another group? This question is yet to be answered. This module arrives just in time for the holiday shopping season highlighting the group interest in exploring possible point-of-sale breaches. The module itself does not steal any point-of-sale data but rather used to profile corporate machines of interest with possible point-of-sale devices. password grabber “pwgrab32Dll” on October 19, 2018). The group behind the TrickBot malware development remains to be one of the most resourceful in the e-crime ecosystem continuously releasing various modules (for example. This is not the first time the TrickBot development group leverages LDAP they also developed a DomainGrabber module specifically to harvest sensitive domain controller information, as detailed earlier. TrickBot Point-of-Sale Finder Module POST Command ![]() ![]() TrickBot Point-of-Sale Finder Module LDAP Analysis TrickBot Point-of-Sale Finder Module vs DomainGrabber Module: Code Analysis Decoded TrickBot Point-of-Sale Finder “psfin32” Module 32-Bit (x86)
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |