{"id":132931,"date":"2021-12-13T06:32:49","date_gmt":"2021-12-13T14:32:49","guid":{"rendered":"https:\/\/www.mcafee.com\/blogs\/?p=132931"},"modified":"2024-07-08T01:27:07","modified_gmt":"2024-07-08T08:27:07","slug":"hancitor-doc-drops-via-clipboard","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/hancitor-doc-drops-via-clipboard\/","title":{"rendered":"HANCITOR DOC drops via CLIPBOARD"},"content":{"rendered":"<p><span data-contrast=\"none\">By\u00a0Sriram P &amp;\u00a0Lakshya Mathur<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Hancitor, a loader that provides Malware as a Service, has been observed distributing malware such as FickerStealer, Pony, CobaltStrike, Cuba Ransomware, and many more. Recently at McAfee Labs, we observed Hancitor Doc VBA (Visual Basic for Applications) samples dropping the payload using the Windows clipboard through Selection.Copy method.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">This blog\u00a0focuses on the effectiveness of\u00a0this\u00a0newly observed\u00a0technique and how\u00a0it adds\u00a0an extra layer of obfuscation to evade\u00a0detection.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Below (Figure 1) is the Geolocation based stats of\u00a0Hancitor\u00a0Malicious Doc observed by McAfee\u00a0since\u00a0September 2021<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}\">\u00a0<\/span><\/p>\n<h2><strong>INFECTION CHAIN<\/strong><\/h2>\n<ol>\n<li>The victim will receive a Docusign-based phishing email.<\/li>\n<li>On clicking on the link (hxxp:\/\/mettlybothe.com\/8\/forum[.]php), a Word Document file is downloaded.<\/li>\n<li>On Enabling the macro content in Microsoft Word, the macro drops an embedded OLE, a password-protected macro-infected document file and launches it.<\/li>\n<li>This second Document file drops the main Hancitor DLL (Dynamic Link Library) payload.<\/li>\n<li>The DLL payload is then executed via rundll32.exe.<\/li>\n<\/ol>\n<h2><strong>TECHNICAL ANALYSIS<\/strong><\/h2>\n<p>Malware authors send the victims a phishing email containing a link as shown in the below screenshot (Figure 3). The usual Docusign theme is used in this recent Hancitor wave. This phishing email contains a link to the original malicious word document. On clicking the link, the Malicious Doc file is downloaded.<\/p>\n<p>Since the macros are disabled by default configuration, malware authors try to lure victims into believing that the file is from legitimate organizations or individuals and will ask victims to enable editing and content to start the execution of macros. The screenshot below (Figure 4) is the lure technique that was observed in this current wave.<\/p>\n<p>As soon as the victim enables editing, malicious macros are executed via the Document_Open function.<\/p>\n<p>There is an OLE object embedded in the Doc file. The screenshot below (Figure 5) highlights the object as an icon.<\/p>\n<p>The loader VBA function, invoked by document_open, calls this random function (Figure 6), which moves the selection cursor to the exact location of the OLE object using the selection methods (.MoveDown, .MoveRight, .MoveTypeBackspace). Using the <a href=\"https:\/\/docs.microsoft.com\/en-us\/office\/vba\/api\/word.selection.copy\" target=\"_blank\" rel=\"noopener\">Selection.Copy<\/a> method, it will copy the selected OLE object to the clipboard. Once it is copied in the clipboard it will be dropped under %temp% folder.<\/p>\n<p>When an embedded object is being copied to the clipboard, it gets written to the temp directory as a file. This method is used by the malware author to drop a malicious word document instead of explicitly writing the file to disk using macro functions like the classic FileSystemObject.<\/p>\n<p>In this case, the file was saved to the %temp% location with filename name <em>\u201czoro.kl<\/em>\u201d as shown in the below screenshot (Fig 8). Fig 7 shows the corresponding procmon log involving the file write event.<\/p>\n<div class=\"mceTemp\"><\/div>\n<p>Using the CreateObject(\u201cScripting.FileSystemObject\u201d) method, the malware moves the file to a new location <em>\\Appdata\\Roaming\\Microsoft\\Templates <\/em>and renames it to \u201c<em>zoro.doc\u201d<strong>.<\/strong><\/em><\/p>\n<p>This file is then opened with the built-in document method, Documents.<em>open. <\/em>This moved file, zoro.doc, is password-protected. In this case, the password used was <em>\u201cdoyouknowthatthegodsofdeathonlyeatapples?\u201d<\/em>. We have also seen the usage of passwords like<em> \u201c<\/em><em>donttouchme\u201d<\/em><em>, <\/em>etc<em>. <\/em><\/p>\n<p>This newly dropped doc is executed using the Documents.Open function (Figure 11).<\/p>\n<p>Zoro.doc uses the same techniques to copy and drop the next payload as we saw earlier. The only difference is that it has a DLL as the embedded OLE object.<\/p>\n<p>It drops the file in the %temp% folder using clipboard with the name <em>\u201cgelforr.dap\u201d. <\/em>Again, it moves gelforr.dap DLL file to <em>\\Appdata\\Roaming\\Microsoft\\Templates <\/em>(Figure 12)<strong><em>.<\/em><\/strong><\/p>\n<p>Finally, after moving DLL to the templates folder, it is executed using Rundll32.exe by another VBA call.<\/p>\n<p><strong>MITRE ATT&amp;CK<\/strong><\/p>\n<table>\n<tbody>\n<tr>\n<td width=\"128\"><strong>Technique ID<\/strong><\/td>\n<td width=\"155\"><strong>Tactic<\/strong><\/td>\n<td width=\"348\"><strong>Technique details<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"128\">T1566.002<\/td>\n<td width=\"155\">Initial Access<\/td>\n<td width=\"348\">Spam mail with links<\/td>\n<\/tr>\n<tr>\n<td width=\"128\">T1204.001<\/td>\n<td width=\"155\">Execution<\/td>\n<td width=\"348\">User Execution by opening the link.<\/td>\n<\/tr>\n<tr>\n<td width=\"128\">T1204.002<\/td>\n<td width=\"155\">Execution<\/td>\n<td width=\"348\">Executing downloaded doc<\/td>\n<\/tr>\n<tr>\n<td width=\"128\">T1218<\/td>\n<td width=\"155\">Defense Evasion<\/td>\n<td width=\"348\">Signed Binary Execution Rundll32<\/td>\n<\/tr>\n<tr>\n<td width=\"128\">T1071<\/td>\n<td width=\"155\">C&amp;C (Command &amp; Control)<\/td>\n<td width=\"348\">HTTP (Hypertext Transfer Protocol) protocol for communication<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong>\u00a0<\/strong><\/p>\n<p><strong>IOC (Indicators Of Compromise)<\/strong><\/p>\n<table>\n<tbody>\n<tr>\n<td width=\"130\"><strong>Type<\/strong><\/td>\n<td width=\"189\"><strong>SHA-256<\/strong><\/td>\n<td width=\"91\"><strong>Scanner<\/strong><\/td>\n<td width=\"214\"><strong>Detection Name<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"130\">Main Doc<\/td>\n<td width=\"189\">915ea807cdf10ea4a4912377d7c688a527d0e91c7777d811b171d2960b75c65c<\/td>\n<td width=\"91\">WSS<\/td>\n<td width=\"214\">W97M\/Dropper.im<\/td>\n<\/tr>\n<tr>\n<td width=\"130\">Dropped Doc<\/td>\n<td width=\"189\">c1c89e5eef403532b5330710c9fe1348ebd055d0fe4e3ebbe9821555e36d408e<\/td>\n<td width=\"91\">WSS<\/td>\n<td width=\"214\">W97M\/Dropper.im<\/p>\n<p>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td width=\"130\">Dropped DLL<\/td>\n<td width=\"189\">d83fbc9534957dd464cbc7cd2797d3041bd0d1a72b213b1ab7bccaec34359dbb<\/td>\n<td width=\"91\">WSS<\/td>\n<td width=\"214\">RDN\/Hancitor<\/td>\n<\/tr>\n<tr>\n<td width=\"130\">URLs (Uniform Resource Locator)<\/td>\n<td width=\"189\">hxxp:\/\/mettlybothe.com\/8\/forum[.]php<\/td>\n<td width=\"91\">WebAdvisor<\/td>\n<td width=\"214\">Blocked<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>By\u00a0Sriram P &amp;\u00a0Lakshya Mathur\u00a0 Hancitor, a loader that provides Malware as a Service, has been observed distributing malware such as&#8230;<\/p>\n","protected":false},"author":695,"featured_media":132979,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[],"coauthors":[4136],"class_list":["post-132931","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mcafee-labs"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>HANCITOR DOC drops via CLIPBOARD | McAfee Blog<\/title>\n<meta name=\"description\" content=\"By\u00a0Sriram P &amp;\u00a0Lakshya Mathur\u00a0 Hancitor, a loader that provides Malware as a Service, has been observed distributing malware such as FickerStealer,\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"HANCITOR DOC drops via CLIPBOARD | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"By\u00a0Sriram P &amp;\u00a0Lakshya Mathur\u00a0 Hancitor, a loader that provides Malware as a Service, has been observed distributing malware such as FickerStealer,\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/hancitor-doc-drops-via-clipboard\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2021-12-13T14:32:49+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-07-08T08:27:07+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/12\/300x200_HANCITOR.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"300\" \/>\n\t<meta property=\"og:image:height\" content=\"200\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"McAfee Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee_Labs\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee Labs\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/hancitor-doc-drops-via-clipboard\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/hancitor-doc-drops-via-clipboard\/\"},\"author\":{\"name\":\"McAfee Labs\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\"},\"headline\":\"HANCITOR DOC drops via CLIPBOARD\",\"datePublished\":\"2021-12-13T14:32:49+00:00\",\"dateModified\":\"2024-07-08T08:27:07+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/hancitor-doc-drops-via-clipboard\/\"},\"wordCount\":746,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/hancitor-doc-drops-via-clipboard\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/12\/300x200_HANCITOR.jpg\",\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/hancitor-doc-drops-via-clipboard\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/hancitor-doc-drops-via-clipboard\/\",\"name\":\"HANCITOR DOC drops via CLIPBOARD | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/hancitor-doc-drops-via-clipboard\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/hancitor-doc-drops-via-clipboard\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/12\/300x200_HANCITOR.jpg\",\"datePublished\":\"2021-12-13T14:32:49+00:00\",\"dateModified\":\"2024-07-08T08:27:07+00:00\",\"description\":\"By\u00a0Sriram P &amp;\u00a0Lakshya Mathur\u00a0 Hancitor, a loader that provides Malware as a Service, has been observed distributing malware such as FickerStealer,\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/hancitor-doc-drops-via-clipboard\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/hancitor-doc-drops-via-clipboard\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/hancitor-doc-drops-via-clipboard\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/12\/300x200_HANCITOR.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/12\/300x200_HANCITOR.jpg\",\"width\":300,\"height\":200},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/hancitor-doc-drops-via-clipboard\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"HANCITOR DOC drops via CLIPBOARD\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\",\"name\":\"McAfee Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"caption\":\"McAfee Labs\"},\"description\":\"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee_Labs\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"HANCITOR DOC drops via CLIPBOARD | McAfee Blog","description":"By\u00a0Sriram P &amp;\u00a0Lakshya Mathur\u00a0 Hancitor, a loader that provides Malware as a Service, has been observed distributing malware such as FickerStealer,","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"HANCITOR DOC drops via CLIPBOARD | McAfee Blog","og_description":"By\u00a0Sriram P &amp;\u00a0Lakshya Mathur\u00a0 Hancitor, a loader that provides Malware as a Service, has been observed distributing malware such as FickerStealer,","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/hancitor-doc-drops-via-clipboard\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2021-12-13T14:32:49+00:00","article_modified_time":"2024-07-08T08:27:07+00:00","og_image":[{"width":300,"height":200,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/12\/300x200_HANCITOR.jpg","type":"image\/jpeg"}],"author":"McAfee Labs","twitter_card":"summary_large_image","twitter_creator":"@McAfee_Labs","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee Labs","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/hancitor-doc-drops-via-clipboard\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/hancitor-doc-drops-via-clipboard\/"},"author":{"name":"McAfee Labs","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad"},"headline":"HANCITOR DOC drops via CLIPBOARD","datePublished":"2021-12-13T14:32:49+00:00","dateModified":"2024-07-08T08:27:07+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/hancitor-doc-drops-via-clipboard\/"},"wordCount":746,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/hancitor-doc-drops-via-clipboard\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/12\/300x200_HANCITOR.jpg","articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/hancitor-doc-drops-via-clipboard\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/hancitor-doc-drops-via-clipboard\/","name":"HANCITOR DOC drops via CLIPBOARD | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/hancitor-doc-drops-via-clipboard\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/hancitor-doc-drops-via-clipboard\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/12\/300x200_HANCITOR.jpg","datePublished":"2021-12-13T14:32:49+00:00","dateModified":"2024-07-08T08:27:07+00:00","description":"By\u00a0Sriram P &amp;\u00a0Lakshya Mathur\u00a0 Hancitor, a loader that provides Malware as a Service, has been observed distributing malware such as FickerStealer,","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/hancitor-doc-drops-via-clipboard\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/hancitor-doc-drops-via-clipboard\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/hancitor-doc-drops-via-clipboard\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/12\/300x200_HANCITOR.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/12\/300x200_HANCITOR.jpg","width":300,"height":200},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/hancitor-doc-drops-via-clipboard\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"HANCITOR DOC drops via CLIPBOARD"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad","name":"McAfee Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","caption":"McAfee Labs"},"description":"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.","sameAs":["https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee_Labs"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/132931","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/695"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=132931"}],"version-history":[{"count":2,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/132931\/revisions"}],"predecessor-version":[{"id":196160,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/132931\/revisions\/196160"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media\/132979"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=132931"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=132931"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=132931"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=132931"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}