Threat Spotlight: MAN1 Malware – The Last Crusade?


In our previous blogs, we took an in-depth journey into the malicious world of the MAN1 malware group. We investigated a malicious macro embedded in a Word document sent via email. Part 1 is available here and Part 2 is available here. The macro was obfuscated and contained not only an encoded binary, but also encoded PowerShell commands.

We were able to catch Hancitor as it attempted to use process hollowing to evade detection. We did this by attaching OllyDbg to Microsoft Word and snatching the binary right as it was pushed into a running process.

This time we’re going to look at the binary Hancitor that we captured. We will be using IDA Pro to reverse engineer the malicious binary and take a deeper look. At the end, we will discuss some changes to this malicious attack used by MAN1.


As with any suspicious emails, you should avoid opening attachments from senders you do not know. Many users automatically open malicious attachments sent via email without a second thought, and the MAN1 group knows this and victimizes those users. You can avoid possible infections by not opening potentially malicious documents and attachments sent by unknown senders.

Remember, the Hancitor sample we examined in Part 1 and Part 2 is associated with the MAN1 Group. As we wrap up analyzing this attack vector by the MAN1 Group, we have been able to learn some of the attackers’ tactics and techniques. We used this knowledge to track their campaign. We continue to watch for and anticipate changes. With that information, we can do a better job of blocking attacks similar to the ones seen with MAN1.

Last Time

In our previous post, you learned about the MAN1 group’s primary method of attack. Attackers were sending malicious emails containing (Read more...)

*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by Cylance Threat Guidance Team. Read the original post at: