In the spring of 2021, Group-IB's
Threat Intelligence analysts discovered traces of a malware campaign distributing Hancitor. The researchers took an interest in an untypical pattern of the downloader's distribution, which was subsequently described by Unit 42
[1] and McAfee
[2] researchers as a new technique designed to hide documents containing malicious links from web scanners' radars. However, the data extracted by Group-IB's analysts indicates that a similar pattern is also used to distribute malware such as Campo Loader, IcedID, QBot, SocGholish, and Buer Loader.
Group-IB discovered at least 3,000 targets of separate malware campaigns that make use of the same scheme. By analyzing the list of targets, the experts were able to establish the two most active campaigns. The first targeted individuals in Belgium, and the second targeted companies, corporations, universities, and government organizations in the United States.
By analyzing the malware distribution campaigns, Group-IB's experts were able to conclude that it was possible for them to be carried out using the same MaaS solution. This assumption was later confirmed by Group-IB's analysts after they found a sale notice for a service designed to distribute malicious files and redirect users to phishing and malicious sites — Prometheus TDS (Traffic Direction System) — on one of the underground platforms.