jeudi 16 mars 2017

Hancitor panel overview


These weeks I've read a lot of tweets about hancitor. Hancitor is even in the CheckPoint "top 5 Most Wanted malware" (¯\_(ツ)_/¯).
You can read a lot of good stuff about the Hancitor/Fareit/Vawtrack/H1N1 gang, binaries reverse, proxy infra... but nothing about Hancitor web panels. So, I've write this (very) quick blogpost to show the attacker point of view :]

Since admin has activated White-listing, it seems that it's not possible to access to the web panel via the Nginx Proxy. When you try to access to a page admin.php or panel.php etc, proxy returns a 403 error. For accessing the panel, you have to find the real IP behind proxies.

Before the white-listing system, it was possible to access to Hancitor CNC due to a lot of vulns. Because these vuln are patched today, it's time to disclose some stuff. Let's have a look at this dropper C&C.

Bypassing authentication

When you want to access to a page, the panel developer checks if the user is authenticated with this kind of code:
This is an old school kind of vulnerability \o/. They don't use an "exit()" after the header function.
When you browse the page with a browser like Firefox, you are correctly redirected to, however if you grab the page with CURL or WGET the header function is ignored and... all the PHP code is executed :).

Here we go, the panel is composed of 4 parts:


This is the main page, with some data about infected hosts.


This page is used for sending commands to the bots. You can send commands to a specific group of bots or to a specific location.
The available commands are:
  • Download and Run
  • BOT Start
  • DLL Load
  • EXE Load
  • Uninstall
  • Load Config
  • Update
Two interesting facts: There is an "uninstall" command and if you send the correct POST request to the page commands.php, without authent', it works :)


This page is used for the password stealer module. I've never seen this feature used. It's maybe due to the fact that this gang use Fareit for stealing passwords...


And finally the statistics page, you can found online/Online in the last 12 hours/offline and create a new group of bots.
Thanks to a SQLi we can see that the database structure is:

As you can see, this super evil malware has a very basic CNC.
Some articles about this threat:
I hope that this quick post can be useful for somebody