Chanitor
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Threat Level: | 90 % (High) |
Infected Computers: | 586 |
First Seen: | February 27, 2015 |
Last Seen: | May 4, 2021 |
OS(es) Affected: | Windows |
PC security researchers have received reports of a volume license phishing email that has been used to carry out threat attacks. This threat, known as Chanitor, can detect sandboxes quite effectively and terminate its attack in a few seconds when running in a virtual environment. Chanitor has been strongly linked to social engineering tactics which are specifically targeted towards corporate computer users, which may present the highest potential payoff due to their involvement in corporate networks and activities. Chanitor has been linked to fake email messages claiming to come from the Microsoft Volume Licensing Service Center. These fake email messages tell the email recipients that they have received special administration permissions. The Chanitor email message is very similar to a legitimate Microsoft email that even includes a personalized greeting with the victim's information. The email's URL string also includes the victim's email address. Both of these details may trick inexperienced computer users into believing that the email message is legitimate. If computer users hover over the URL, they may find that it leads to a compromised WordPress Web page. Four similar domains have been used to host the threatening Chanitor file.
How the Chanitor Attack Works
Chanitor is linked to a highly effective social engineering attack. Apart from the carefully crafted phishing email message, the compromised Web pages also include real Microsoft Volume Licensing Service Center pages, which are delivered to the victim along with the threatening file download. The download comes from a compromised Web page, but many computer users do not notice it because the Microsoft pages are visible and add to the air of legitimacy. Chanitor may not be detected by security programs, and only nine out of 57 different anti-malware software were capable of detecting and removing the Chanitor threat.
Chanitor has been linked to the Vawtrak banking Trojan. This is a known threat that is designed to collect banking information such as credit card information and online banking credentials. However, this is not necessarily the only type of attack that has been linked to Chanitor. Chanitor could potentially be used to deliver other types of threats to affected computers.
Analyzing Chanitor in Controlled Environments
Apart from its strong social engineering components and the strength of its attack, Chanitor has one more ace up its sleeve. Chanitor is surprisingly difficult to study in isolated environments (such as sandboxes or virtual machines). PC security researchers have reported that Chanitor will shut down shortly after launching in an isolated environment. In four different sandboxes, Chanitor would stop as soon as Chanitor detected attempts to study. Chanitor apparently can detect that it is being analyzed and immediately shuts down. This means that to study Chanitor it is necessary to carry out investigations on live computers. Doing this has allowed PC security researchers to detect a wide variety of other 'features' in Chanitor that allow it to circumvent detection, removal and analysis.
Chanitor will remain inactive for a half hour before unpacking and decoding. Chanitor will run a process named winlogin.exe, which runs and enters into Sleep Mode repeatedly in order to circumvent sandboxes. Only after doing all this, Chanitor will establish a connection with its Command and Control server. Chanitor also copies itself using a different file name and then returns to its original name, which is a tactic also meant to circumvent several sandbox systems. Chanitor is connected to Command and Control servers located in a Tor network, using the Tor2Web proxy service to connect from the victim's Web browser.
Chanitor's tactics all combined make this attack a formidable foe. Its targets seem to be enterprise systems, and it is clear that third parties are now attempting to exploit computers with access to more valuable information. Chanitor takes important measures to deter PC security researchers significantly.
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.