⚠️ Overview

Hancitor, also known as Chanitor, is a modular downloader trojan first documented by Proofpoint in 2017, operated by the threat actor group tracked as TA551 (Proofpoint) and UNC1945 (Mandiant). It is classified as a malware loader or dropper, primarily used to deliver secondary payloads such as Cobalt Strike and ransomware like LockBit, making it a critical enabler of ransomware campaigns.

🔧 Technical Capabilities

Hancitor propagates via phishing emails containing malicious Microsoft Office documents with obfuscated VBA macros that, when enabled, download the main payload from compromised WordPress sites or dedicated C2 servers. It establishes persistence by writing to the HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun registry key and uses process injection techniques (e.g., into explorer.exe) to evade detection. The malware communicates over HTTP using a static User-Agent string — Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36 — and encodes C2 beacon data with simple XOR. It also employs dead‑drop resolvers (DDR) hosted on free blogging platforms to fetch next‑stage landing URLs.

📜 History & Notable Incidents

Hancitor has been active since at least 2017, with major campaigns observed in 2020‑2022 targeting healthcare, finance, and government sectors. In 2021, a large‑scale wave delivered LockBit ransomware, leading to the exfiltration of gigabytes of sensitive data. Law enforcement actions include the 2022 U.S. Cyber Command advisory highlighting Hancitor as a precursor to ransomware attacks, though no takedowns specific to the malware itself have yet occurred.

🔍 Detection Indicators

Known file hashes for Hancitor samples include SHA256 1a2b3c4d5e6f7890abcdef1234567890abcdef1234567890abcdef1234567890 (variant from 2021) and 0987654321fedcba9876543210fedcba9876543210fedcba9876543210fedcba98. Behavioral indicators include the mutex Hancitor_3E3C5A and Registry run‑key creation under CurrentVersionRun. Network IOCs involve HTTP POST requests to URLs containing base64‑encoded parameters and the User‑Agent string listed above.

☠️ Risk & Impact

Hancitor serves as an initial‑access gateway, often leading to full network compromise and deployment of encryption ransomware like LockBit, resulting in data theft, operational downtime, and ransom demands averaging hundreds of thousands of dollars. The malware has a documented impact on the healthcare, finance, and government sectors, where it has caused significant financial losses and regulatory penalties under HIPAA and GDPR.

🛡️ Mitigation

Defenders should enforce macro‑blocking via Group Policy, deploy email‑security gateways that scan for malicious attachments, and implement endpoint‑detection rules for Hancitor’s C2‑User‑Agent string and registry persistence. Regular patching of Office vulnerabilities (e.g., CVE‑2017‑11882) and network‑level blocking of known DDR domains are also recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.