jeudi 16 mars 2017

Hancitor panel overview

Hey!

These weeks I've read a lot of tweets about hancitor. Hancitor is even in the CheckPoint "top 5 Most Wanted malware" (¯\_(ツ)_/¯).
You can read a lot of good stuff about the Hancitor/Fareit/Vawtrack/H1N1 gang, binaries reverse, proxy infra... but nothing about Hancitor web panels. So, I've write this (very) quick blogpost to show the attacker point of view :]


Since admin has activated White-listing, it seems that it's not possible to access to the web panel via the Nginx Proxy. When you try to access to a page admin.php or panel.php etc, proxy returns a 403 error. For accessing the panel, you have to find the real IP behind proxies.

Before the white-listing system, it was possible to access to Hancitor CNC due to a lot of vulns. Because these vuln are patched today, it's time to disclose some stuff. Let's have a look at this dropper C&C.

Bypassing authentication


When you want to access to a page, the panel developer checks if the user is authenticated with this kind of code:
This is an old school kind of vulnerability \o/. They don't use an "exit()" after the header function.
When you browse the page with a browser like Firefox, you are correctly redirected to google.com, however if you grab the page with CURL or WGET the header function is ignored and... all the PHP code is executed :).


Here we go, the panel is composed of 4 parts:

Panel.php


This is the main page, with some data about infected hosts.

commands.php

This page is used for sending commands to the bots. You can send commands to a specific group of bots or to a specific location.
The available commands are:
  • Download and Run
  • BOT Start
  • DLL Load
  • EXE Load
  • Uninstall
  • Load Config
  • Update
Two interesting facts: There is an "uninstall" command and if you send the correct POST request to the page commands.php, without authent', it works :)

passwords.php

This page is used for the password stealer module. I've never seen this feature used. It's maybe due to the fact that this gang use Fareit for stealing passwords...

statistics.php

And finally the statistics page, you can found online/Online in the last 12 hours/offline and create a new group of bots.
Thanks to a SQLi we can see that the database structure is:


As you can see, this super evil malware has a very basic CNC.
Some articles about this threat:
I hope that this quick post can be useful for somebody






13 commentaires:

  1. Пишиесчо!(#writemoreplz)

    RépondreSupprimer
  2. HP OfficeJet 8702 All-in-One HP OfficeJet 8702 Wireless Printer Setup All-in-One Series Full Feature Software and Drivers Details The full setup+ programming.

    RépondreSupprimer
  3. I'm unexpirienced in this topic, but I hope to become more prudent regarding your blog.
    Logo Esport Maker

    RépondreSupprimer
  4. Great Content. Read Here Why nobody care about health. and more intersting topics.Read Here

    RépondreSupprimer
  5. Allegiant Airlines Reservations A good Blog gives a lot more knowledge about this. I will continue to support your work Thank you.

    RépondreSupprimer
  6. Lufthansa Reservations Much obliged for the pleasant blog. It was exceptionally valuable for me. I'm cheerful I discovered this blog. Much obliged to you for imparting to us, I also consistently discover some new information from your post.

    RépondreSupprimer