We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Trojan:Win32/Hancitor
Aliases: No associated aliases
Summary
Microsoft Defender Antivirus detects and removes this threat.
Hancitor, also known as Chanitor, is a malware designed to install other malware on targeted devices. Hancitor has been active since 2013, and was typically delivered as an attachment through spear-phishing emails with varying lure themes. However, from 2020 onwards, threat actors have been using DocuSign-themed lures to entice target users into opening links in emails, which then lead to another link that downloads a document with a malicious macro that contains the main Hancitor payload.
Once on the target device, Hancitor performs initial reconnaissance, connects to the attackers' command-and-control (C2) server, and downloads additional malware, including banking trojans like Zloader and Vawtrak, and information stealers like Pony and Ficker. In some campaigns, attackers have also used Hancitor to install Cobalt Strike or exploit CVE-2020-1472. In all these infections, Hancitor uses these tools to perform various malicious activities, including lateral movement, credential theft, and data exfiltration.
Microsoft Defender Antivirus automatically removes threats as they are detected. If you have cloud-delivered protection, your device gets the latest defenses against new and unknown threats. If you don't have this feature enabled, update your antimalware definitions and run a full scan to remove this threat.
To help reduce the impact of this threat, you can:
- Immediately isolate the affected device. If Hancitor has been launched, it is likely that the device is under complete attacker control.
- Contact the device owner to confirm whether they have downloaded any document and enabled macros. Identify the accounts that have been used on the affected device and consider these accounts compromised. Reset passwords or decommission the accounts.
- Investigate how the affected device might have been compromised. Check web traffic to determine how this malware arrived. Check the user mailbox for unsolicited emails containing unexpected attachments.
- Investigate the device timeline for indications of lateral movement activities using one of the compromised accounts. Check for additional tools, such as Cobalt Strike, that attackers might have dropped to enable credential access, lateral movement, and other attack activities.
- Initiate an incident response process, focusing on responding to possible data exfiltration which attackers might have already performed. Contact your incident response team, or contact Microsoft support for investigation and remediation services.
- Prevent subsequent attacks by adjusting spam and phishing filtering policies based on the characteristics of the campaign email.
You can also visit our advanced troubleshooting page or search the Microsoft community for more help.
