The Man1 Group is a threat actor collection that has used various techniques, tactics, and procedures to cause havoc and infiltrate targets. Their name originates from the crypter used in their attacks, which employ an intricate Visual Basic for Applications macro. The Cylance Threat Guidance Team analyzed it and recorded their findings. Click here for a detailed report.
UPDATE 8/29/2017: Click here to access our latest reports on this threat.
VIDEO: Cylance vs. Man1 Group/ Hancitor
The group has been sending malicious emails long enough for analysts to develop a timeline of their campaigns, which contain different malware families. Analysts have been able to track the subtle routines in the packers and crypters.
The group uses macros, which are a set of commands or codes intended to automate specific functions, but are not dangerous in and of themselves. Many organizations rely on macros to save hours on repetitive tasks that can be efficiently executed using automation, but unfortunately, cyberattackers are once again leveraging macros for evil.
Despite their time-saving potential, macros also come with a security setback. Anyone can write a macro to automate tasks, including one that runs malicious software.
The macro used by the Man1 Group is no ordinary macro. The macro can determine a user’s system architecture and execute correctly on either 32-bit or 64-bit systems. Then, it will hollow out memory and execute malicious code in the Explorer.exe process to avoid writing to disk. Most AV venders simply cannot detect this process.
The macro then runs a malicious binary called Hancitor. Once executed, it drops an intermediate payload that downloads additional malware to perform data theft and connect to a command and control (C2) server.
While users can avoid victimization by not opening attachments from unknown senders, that is not always realistic in enterprise environments. Security controls should not be so restrictive that they compromise business operations. CylancePROTECT uses multiple protection elements to stop this threat before it causes damage. CylancePROTECT’s Script Control feature prevents the execution of any VBA macros and active or PowerShell scripts. It also prevents execution of threat techniques and malware.
If Script Control is disabled or in Alert mode, CylancePROTECT will prevent the malware executable that may get dropped as part of additional threat components. This level of prevention enables CylancePROTECT customers to be fully protected from this threat. CylancePROTECT Script Control prevents malware that uses scripts and macros to infect users by blocking malicious, VBA, Active Script, and PowerShell scripts from running.
If you don't have CylancePROTECT, contact us to learn how our artificial intelligence based solution can predict and prevent unknown and emerging threats before they ever execute.