DocuSign theme-based phishing by Hacintor malware

Recently, Hancitor malware phishing campaigns using DocuSign-related social engineering have been active. The initial infection vector is phishing emails embedded with malicious links to Microsoft Office documents containing malicious macros. The most recent campaigns uses DocuSign as a trusted brand to engage users and trick them into downloading malicious Word documents.

The email takes advantage of DocuSign,a well-reputed document signing service, to blend well with benign network and email traffic. This trick helps to evade spam and phishing protection. End-user trust is also gained with the subjects like, " You got invoice from DocuSign Electronic Service," " You received invoice from DocuSign Signature Service," " You received notification from DocuSign Electronic Signature Service"

Hancitor is a well-known persistent malware family which was first observed in 2013. The latest version also tries to ensure the success of the compromise by guiding the user to enable "macro" execution. Step-by-step instructions provided in the email trick the user to believe the email is safe.

Once the content is enabled, the macro executes and drops multiple malware on the system. This malware family is known for information stealing. The malware also downloads Cobaltstrike, a tool for network penetration and post-compromise exploitation.

SecurityAdvisor Employee Tips :
Be vigilant with emails that request file downloads.
Carefully check the sender’s email address and if the sender is unknown, refrain from clicking any links in the email.
Do not blindly follow instructions in the email or documents that ask you to enable specific applications or operating system settings.
Always seek help from IT security teams when you receive a suspicious email.

Learn how SecurityAdvisor can help your team

Schedule some time to talk with one of our experts and they will show you how we can help your organization.

Request A Demo