Walmart is a big company. While most people know we have a global footprint with our stores, what they might not realize is we have a global technology footprint too. Because of this, we have to account for attacks against our cyber infrastructure, which range from scanning our network perimeter for weaknesses all the way to targeted phishing attacks. To give a sense of scale, in December of last year, we blocked about 319 million e-mails (or 91%) destined for Walmart domains.

One type of malware that we regularly block using our various detection sensors is Hancitor. Like other types of malware seen in spam, this malware travels in the form of email attachments, specifically, Microsoft Word documents. Hancitor’s initial infection vector lies in the power of Visual Basic for Applications (VBA) macros. This has been a very common method of delivering malware, and Microsoft has done a good job of blocking execution of potentially unsafe macros. However, Hancitor and other related malware families are clever in how they persuade users to do the job for them.

Let’s take a look at a sample. When opening the document, the security warning lets users know the document contains macros, and that Word has disabled them. The malware’s creator has been clever to include instructions in the document body that make it appear you must enable these macros before the document is available, as seen in Figure 1 below. What the user doesn’t know, though, is that this seemingly harmless move will trigger the malware.

Figure 1 - Viewers deceived into enabling macros
Figure 1 – Viewers deceived into enabling macros

In order to understand exactly what happens when the user enables macros, we’re going to have to take a brief technical look. Below is a picture that provides an overview of the Hancitor sample’s project files as viewed using Word’s developer features.

Figure 2 – The malware project seen in VBA

The Document_Open method is defined within ThisDocument (seen in Figure 2) and performs all of the malicious routines when a document is opened (or in this case, when the user clicks ‘Enable Content’). There is also a helper module, referred to as demotion, which contains Windows API function mappings that can be seen below. The author also seems to have a sense of humor by inserting lyrics to a Garbage song as comments in the code.

Figure 3 - Windows API mappings
Figure 3 – Windows API mappings

Hancitor uses the function VirtualAllocEx (referred to as an alias, “whitworth” in Figure 3) to allocate memory inside of Microsoft Word and writes shellcode using RtlMoveMemory (alias “intermission”). Finally, Hancitor executes the shellcode using the callback function parameter for EnumTimeFormatsW as can be seen in the highlighted line of Figure 4. Malware creators often leverage Windows API functions that accept callbacks as they are a good place to hide executable malicious code.

Figure 4 - Hancitor executing shellcode via EnumTimeFormatsW
Figure 4 – Hancitor executing shellcode via EnumTimeFormatsW

Inside of the shellcode executed by EnumTimeFormatsW, many additional Windows functions are resolved and a check-in URL is contacted to proceed with infecting the host. It places function names in pieces onto the stack and uses a special function to retrieve their addresses after loading the required libraries; this is likely done to avoid AV engine detection and heuristics. This entire process is often referred to as building an Import Table.

Figure 5 - Hancitor initial C2 beacon
Figure 5 – Hancitor initial C2 beacon

On our Windows 7 test machine, the URL was http://hoentoftfa[.]com/blt/path1.php?v=61, where 61 equals the OS version major number and minor number for Windows 7.

Once the check-in is complete, Hancitor de-obfuscates more data inside the word document and reveals a new malicious executable. Hanctior then creates either a suspended svchost.exe or explorer.exe, depending on if the user is running 32bit or 64bit Microsoft Word.


Word Version


64bit Microsoft Word


32bit Microsoft Word

Figure 6 – WINWORD.EXE creates a suspended svchost.exe (in gray)

Next Hancitor performs process hollowing (seen in Figure 7). This is a highly utilized technique in malware where the memory of a process is replaced with memory of a malicious process. Hancitor takes the new malicious executable and places it in either explorer.exe or svchost.exe and resumes the process using ResumeThread.

Figure 7 – Hancitor performing Process Hollowing
Figure 7 – Hancitor performing Process Hollowing

Inside the new process, Hancitor proceeds to fingerprint the device and collects:
1. Hard disk volume serial (via GetVolumeInformationA)
2. Computer name (via GetComputerName)
3. Username (via LookupAccountSidA after retrieving the process token)
4. Processor Information (via GetSystemInfo/GetNativeSystemInfo – these both return a SYSTEM_INFO data structure
5. The IP address (using a checker site)

The IP checking request uses, as seen below in Figure 8.

Figure 8 – Hancitor getting the infected client’s IP address
Figure 8 – Hancitor getting the infected client’s IP address

Hancitor takes this information and packs it into a special string used in network requests (an example of this code is below). Our test machine output looked like:

GUID=8104943073458339715&BUILD=1411&INFO=USERSPCNAME @ USERSPCNAME\user&IP=

Figure 9 – Hancitor constructs a C2 request
Figure 9 – Hancitor constructs a C2 request

After this occurs, Hancitor retrieves a command by making an HTTP POST request to one of three command and control (C2) servers; it’s important to note these servers will change with newer variants. Figure 10 shows an example request and response.
POST http://gonynamo[.]ru:80/ls5/gate.php
POST http://hoentoftfa[.]com/ls5/gate.php
POST http://forpartinsa[.]ru/ls5/gate.php

Figure 10 – Hancitor contacts C2
Figure 10 – Hancitor contacts C2

The response from the server can be one of several commands, which includes r, u, d, l, e, c, and n. It appears that new clients first receive the n command. This likely indicates a new infected host.

Figure 11 – Command list for Hancitor client
Figure 11 – Command list for Hancitor client

At this point, it’s easy to see how much can happen just by carelessly clicking that “Enable Content” button in an untrusted document. The good news is that Microsoft has done a lot of work here to protect against harmful VBA macros once a document has been opened, but keeping VBA enabled for Office applications means that users must be trained not to enable macros from unknown senders. Additionally, if someone you know sends a document with macros, verify first with the sender that they actually sent it (i.e. their email could be hacked). Finally, if your organization wants to disable VBA, they can do so via Group Policy using administrative templates provided by Microsoft. However, it’s important to note that some users might depend on VBA in their daily workflow.

You can also protect your organization at the network layer. Hancitor is sent via spam campaigns, so filtering these e-mails out before they make it to an inbox is obviously the best solution. There are many security companies today that offer solutions to intercept and block suspicious e-mails, as well as analyze e-mail attachments that might be harmful.

If you’ve already been infected, chances are you have additional malware on your system, as Hancitor will download and run additional payloads. In some cases, this is ransomware, so it’s rather obvious when infected. In others the case may not be obvious, so ensure your security software is up to date and infected systems are quarantined before they undergo any reimaging.


Interested in learning more about InfoSec at Walmart? Sp4rkCon, held Saturday, April 1, 2017, will feature free training and technical talks. Our goal is for budding hackers and seasoned technologists alike to come together as we share ideas and discuss the latest in InfoSec attack defense with some amazing thought leaders. Learn more about the event.

Register for the Latest News