These weeks I've read a lot of tweets about hancitor. Hancitor is even in the CheckPoint "top 5 Most Wanted malware" (¯\_(ツ)_/¯).
You can read a lot of good stuff about the Hancitor/Fareit/Vawtrack/H1N1 gang, binaries reverse, proxy infra... but nothing about Hancitor web panels. So, I've write this (very) quick blogpost to show the attacker point of view :]
Since admin has activated White-listing, it seems that it's not possible to access to the web panel via the Nginx Proxy. When you try to access to a page admin.php or panel.php etc, proxy returns a 403 error. For accessing the panel, you have to find the real IP behind proxies.
Before the white-listing system, it was possible to access to Hancitor CNC due to a lot of vulns. Because these vuln are patched today, it's time to disclose some stuff. Let's have a look at this dropper C&C.
Bypassing authentication
When you want to access to a page, the panel developer checks if the user is authenticated with this kind of code:
This is an old school kind of vulnerability \o/. They don't use an "exit()" after the header function.
When you browse the page with a browser like Firefox, you are correctly redirected to google.com, however if you grab the page with CURL or WGET the header function is ignored and... all the PHP code is executed :).
Here we go, the panel is composed of 4 parts:
Panel.php
This is the main page, with some data about infected hosts.
commands.php
The available commands are:
- Download and Run
- BOT Start
- DLL Load
- EXE Load
- Uninstall
- Load Config
- Update
passwords.php
statistics.php
Thanks to a SQLi we can see that the database structure is:
As you can see, this super evil malware has a very basic CNC.
Some articles about this threat:
- Analysing the Hancitor Maldoc
- PonyUp: Tracing Pony’s Threat Cycle and Multi-Stage Infection Chain
- Hancitor/Pony/Vawtrak malspam
