Hancitor Trojan (virus) - Free Guide

What is Hancitor Trojan?

Hancitor is a widespread Trojan that downloads other malware onto infected systems or networks

Hancitor Trojan is a malicious program that downloads other malware

Hancitor Trojan first emerged in 2014 and immediately spread relatively widely thanks to extensive malspam campaigns. This is not the only method used by cybercriminals to spread it, as later phishing and fake links were also used to infect Windows computers worldwide. Since its release, the virus authors developed multiple versions with various improvements and polished its functionality over time.

Hancitor operates as Malware-as-a-Service (MaaS) – a popular technique where the developers allow customers (who can be at any level of skill or experience within the field) to rent the rights to distribute malware, as long as a certain portion of the profit is shared. Typically, the distributors are allowed to keep the bigger part of the money.

The main purpose of the virus is to compromise the affected machine and the network it is connected to, which would allow the attackers to deliver any type of payloads. In other terms, the malware is used as a middle-man in order to infect targets with other malicious software. The secondary payload can be literally anything; most recently, in May 2021, it was spotted being delivering Cuba ransomware, mainly targeting governmental, healthcare, IT, manufacturing, and financial sectors.^[1]

As evident, the presence of the Hancitor virus can be devastating, as its activity can allow any type of malware to be delivered and installed. Victims might have their personal formation stolen, files encrypted, or credit card details exposed. If you are dealing with this infection, we recommend you follow the instructions below to eliminate it effectively and any other payloads it could carry.

Malware-as-a-service

As previously mentioned, Hancitor operates under the MaaS scheme, which is becoming even more popular over the years. This behavior is typical of large-scale malware strains such as WannaCry, which created a mass-havoc in 2017, infecting high-profile organizations and institutions worldwide with over 300,000 computer infections.

What makes MaaS so appealing is that the whole process is fully automated – it's not that different from a person buying an item on Amazon, except that the shopping list is something that is meant for malicious purposes. It allows even non-proficient people^[2] to buy access to even the most complex malware and distribute it as they please, all while getting a big chunk of the profits earned from the illegal activity.

The developers of malware are the ones who update and improve it, distributors spread it around, and administrators make sure that the business runs smoothly. Of course, all these operations happen underground and, since a lot of obfuscation is used, it becomes more difficult for law enforcement to tackle it. Nonetheless, there have been many successful operations where MaaS schemes were shut down and operators put in prison.

Distribution

Malware distribution is vital for its success, and many experienced malware creators are well aware of that. If anything, malware is a business and, while it is highly illegal, it operates in a similar manner, as we already explained in the previous section.

Due to the large number of people who can get access to Hancitor, numerous different distribution techniques could be applied. It is evident that new, advanced methods are developed over time (for example, fileless infection), although some old ones work just as well, and the Trojan is mostly delivered via malicious spam emails and phishing campaigns.

Spam emails are probably the most common malware distribution technique of all and have been used since the begging of the internet. There are all sorts of emails that could be used – some are very plain, including just a few words and an attachment; others might not even include any text in them.

Hancitor is mostly distributed via malicious spam emails

There are plenty of more sophisticated email spam campaigns, however. Quite often, cybercriminals use familiar brand names (UPS, Google, Microsoft, etc.) and the formatting of the email to make it look more legitimate. Email spoofing is another technique that is widely used – where the sender's email matches a legitimate one.

It is vital to be extremely wary when dealing with emails, especially those that include attachments or links. Employing additional protection tools that recognize spam can help, although awareness is the best remedy.

Hancitor removal

It is important to remove all the malicious components and secondary payloads that the malware brings as soon as possible. The longer malware runs in the background, the more damage it is capable of causing. For example, the secondary payload of ransomware could encrypt all file backups if they are not adequately protected.

Step 1. Disconnect your computer from the internet and network

To start the removal process, you should disconnect every infected computer from the network. If only one or a few machines are affected, this can be done by simply unplugging the network cable or disconnecting the WiFi. However, for larger networks, the following method should be used:

• Type in Control Panel in Windows search and press Enter
• Go to Network and Internet
• Click Network and Sharing Center
• On the left, pick Change adapter settings
• Right-click on your connection (for example, Ethernet), and select Disable

Step 2. Perform a full system scan

Complex malware is unlikely to be removed properly using manual steps. Instead, victims should employ powerful security software, such as SpyHunter 5Combo Cleaner or Malwarebytes, and perform a full system scan with it. Keep in mind that this step should only be done after the infected machine is segregated from any other computers (disconnected from the network and internet).

Since there could be multiple infections within a compromised system, Hancitor removal might be difficult. In this case, we recommend accessing Safe Mode and performing a full system scan from there.

Windows 7 / Vista / XP

1. Click Start > Shutdown > Restart > OK.
2. When your computer becomes active, start pressing the F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
3. Select Safe Mode with Networking from the list.

Windows 10 / Windows 8

1. Right-click on the Start button and select Settings.
   
2. Scroll down to pick Update & Security.
3. On the left side of the window, pick Recovery.
4. Now scroll down to find the Advanced Startup section.
5. Click Restart now.
6. Select Troubleshoot.
7. Go to Advanced options.
8. Select Startup Settings.
9. Click Restart.
10. Press 5 or click 5) Enable Safe Mode with Networking.

Step 3. Other security tips

Security experts^[3] always advise corporations and home users to be aware of cyberattacks and their dangers. Being neglectful is one of the main reasons why the illegal business of malware thrives, and MaaS operations are so successful. Here are a few security tips that should help you avoid having your device getting infected with Trojans or other malicious software in the future:

• Install SpyHunter 5Combo Cleaner, Malwarebytes, or another reputable anti-malware software to prevent the infiltration of malware;
• Always use strong passwords for all the accounts, especially those for remote connections (RDP);
• Make sure all software, including the operating system, is applied with the most recent security updates as soon as they are available;
• Enable two-factor authentication for any incoming connections or other important accounts;
• Beware of emails that include attachments (especially if they require to enable macro function upon being opened);
• Employ phishing protection tools and be wary of any third-party links – do not download software cracks and similar high-risk components from the internet.

Repair damaged system files

Once malware manages to breach the system, It compromises its integrity and sometimes can corrupt vital components of the OS. This might result in serious stability issues, such as program crashes, system reboots, BSODs, and similar, in the future. While reinstallation of Windows can be an adequate solution for these problems, you can opt for an automatic system repair tool that would replace damaged files with brand new ones, stopping the need to reinstall the OS.

• Download FortectIntego
• Click on the ReimageRepair.exe
  
  
• If User Account Control (UAC) shows up, select Yes
• Press Install and wait till the program finishes the installation process
• The analysis of your machine will begin immediately
• Once complete, check the results – they will be listed in the Summary
• You can now click on each of the issues and fix them manually
• If you see many problems that you find difficult to fix, we recommend you purchase the license and fix them automatically.