![]() ![]() This URL pattern has also been noted pushing other families of malware. Google Drive links from emails pushing Hancitor start with and end with /pub. Cloud-based collaborative services such as Microsoft’s OneDrive and Google Drive are frequently abused by threat actors to distribute malware. These DocuSign-themed messages have links to malicious Google Drive pages established through fraudulent or possibly compromised Google accounts. The company provides guidance on this issue and a channel to report malicious messages spoofing their brand. 12, 2021.ĭocuSign-spoofed emails are not new, nor are they limited to Hancitor. Currently, most waves of emails pushing Hancitor have used a DocuSign theme, and the average wave of Hancitor malspam looks like this one reported on Jan. Emails spoofing DocSign have been reported as early as October 2017, but the group behind Hancitor began more frequent use of DocuSign templates starting in October 2019. Hancitor has historically sent emails spoofing different types of organizations that send notices, faxes or invoices. First Stage: Distributing Malicious Word Documents 5, 2020, this campaign settled into the infection chain of events shown above. In rare cases, we have also seen a Hancitor infection follow-up with Send-Safe spambot malware that turned an infected host into a spambot pushing more Hancitor-based malspam.Īfter a three-month absence, Hancitor activity resumed on Oct. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |