Be Confident Stopping Hancitor, Wannacry Internal, & more

May 19, 2020 by Kyle Flaherty

Being current is critical in cybersecurity. When attacks spring up you worry if you're protected. First you make sure your tools have been updated, the team creates new detection rules, you double check everything, and wait to see if the attack hits and hope that everything is configured correctly. At least that's the way we used to do it, before breach and attack simulation (BAS) let us attack ourselves before they do.

Staying current with attack simulations means automatically integrating some killer threat intel. Anyone who has heard one of my 237 webinars in the past two weeks knows I talk a LOT about the Keysight Application and Threat Intelligence (ATI) team. These global smarties are constantly collecting info from private and public feeds, pulling it out of our honeypots, analyzing, reverse engineering, and spitting it all back out into our family of security products, including Threat Simulator.

This past week the ATI team released some cool updates including new Threat Simulator attack campaigns for Hancitor Malware, currently seeing a resurgence targeting our global health crisis, and a new kill chain assessment for Wannacry Internal Source. Threat Simulator users (remember, free trial) now have 10 new audits to use when attacking themselves. Let's talk and look a bit more at the Wannacry and Hancitor kill chains.

Wannacry Internal Source Kill Chain

As we all know, Wannacry is an Internet worm and ransomware malware that spreads throughout a network leveraging a vulnerability in Microsoft Window's ability to parse Server Message Block (SMB) messages. The vulnerability was first discovered from a leaked Shadowbrokers exploit kit. The exploit used is commonly referred to by the code names ETERNALBLUE and FUZZBUNCH. The malware used a killswitch which would check for the presence of a domain name, and if present, would cease execution. This version of this assessment assumes a rogue computer has entered the network through unknown means and is spreading within your network.

simulate wannacry malware

Hancitor Malware Infection

As described in this SANS blog post COVID-19/Coronavirus-themed phishing emails were observed in-the-wild, leading to Hancitor-malware download/infection. This assessment creates the receipt of such a phishing email (originating from a Russian SMTP server). The phishing email then attempts to entice a user to click on an embedded link, which leads to an attempt to download/install a variant of Hancitor malware. The full assessment contains 2 stages, first a phishing email containing link to malware server is received, then as if a user had clicked the link, an HTTP GET request initiates the download the initial Hancitor-related VB Script malware.

detect hancitor phishing

These are simply two of the hundreds of audits you can quickly use to assess your security posture, and deliver confidence to your team. Try it yourself right now and know with confidence that you're protected.