TA511
Description
(Palo Alto) Hancitor is an information stealer and malware downloader used by a threat actor designated as MAN1, Moskalvzapoe or TA511. In a threat brief from 2018, we noted Hancitor was relatively unsophisticated, but it would remain a threat for years to come. Approximately three years later, Hancitor remains a threat and has evolved to use tools like Cobalt Strike. In recent months, this actor began using a network ping tool to help enumerate the Active Directory (AD) environment of infected hosts. This blog illustrates how the threat actor behind Hancitor uses the network ping tool, so security professionals can better identify and block its use.
Names
| Name | Name-Giver |
|---|---|
| TA511 | Proofpoint |
| MAN1 | ? |
| Moskalvzapoe | ? |
Country
Motivation
- Financial crime
First Seen
2018
Observed Countries
- Argentina
- Brazil
- Canada
- Germany
- Hong Kong
- India
- Ireland
- Israel
- Italy
- Japan
- Kazakhstan
- Lithuania
- Malaysia
- Netherlands
- Russia
- Singapore
- South Africa
- South Korea
- Taiwan
- Thailand
- Turkey
- Ukraine
- UK
- USA
- Vietnam
Tools
Operations
- 2020-10: Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/
Information
Other Information
Uuid
232acfd0-5488-4391-ae93-6e1dc4df99d4
Last Card Change
2021-04-21