PC security researchers have received reports of a volume license phishing email that has been used to carry out threat attacks. This threat, known as Chanitor, can detect sandboxes quite effectively and terminate its attack in a few seconds when running in a virtual environment. Chanitor has been strongly linked to social engineering tactics which are specifically targeted towards corporate computer users, which may present the highest potential payoff due to their involvement in corporate networks and activities. Chanitor has been linked to fake email messages claiming to come from the Microsoft Volume Licensing Service Center. These fake email messages tell the email recipients that they have received special administration permissions. The Chanitor email message is very similar to a legitimate Microsoft email that even includes a personalized greeting with the victim's information. The email's URL string also includes the victim's email address. Both of these details may trick inexperienced computer users into believing that the email message is legitimate. If computer users hover over the URL, they may find that it leads to a compromised WordPress Web page. Four similar domains have been used to host the threatening Chanitor file.
How the Chanitor Attack Works
Chanitor is linked to a highly effective social engineering attack. Apart from the carefully crafted phishing email message, the compromised Web pages also include real Microsoft Volume Licensing Service Center pages, which are delivered to the victim along with the threatening file download. The download comes from a compromised Web page, but many computer users do not notice it because the Microsoft pages are visible and add to the air of legitimacy. Chanitor may not be detected by security programs, and only nine out of 57 different anti-malware software were capable of detecting and removing the Chanitor threat.
Chanitor has been linked to the Vawtrak banking Trojan. This is a known threat that is designed to collect banking information such as credit card information and online banking credentials. However, this is not necessarily the only type of attack that has been linked to Chanitor. Chanitor could potentially be used to deliver other types of threats to affected computers.
Analyzing Chanitor in Controlled Environments
Apart from its strong social engineering components and the strength of its attack, Chanitor has one more ace up its sleeve. Chanitor is surprisingly difficult to study in isolated environments (such as sandboxes or virtual machines). PC security researchers have reported that Chanitor will shut down shortly after launching in an isolated environment. In four different sandboxes, Chanitor would stop as soon as Chanitor detected attempts to study. Chanitor apparently can detect that it is being analyzed and immediately shuts down. This means that to study Chanitor it is necessary to carry out investigations on live computers. Doing this has allowed PC security researchers to detect a wide variety of other 'features' in Chanitor that allow it to circumvent detection, removal and analysis.
Chanitor will remain inactive for a half hour before unpacking and decoding. Chanitor will run a process named winlogin.exe, which runs and enters into Sleep Mode repeatedly in order to circumvent sandboxes. Only after doing all this, Chanitor will establish a connection with its Command and Control server. Chanitor also copies itself using a different file name and then returns to its original name, which is a tactic also meant to circumvent several sandbox systems. Chanitor is connected to Command and Control servers located in a Tor network, using the Tor2Web proxy service to connect from the victim's Web browser.
Chanitor's tactics all combined make this attack a formidable foe. Its targets seem to be enterprise systems, and it is clear that third parties are now attempting to exploit computers with access to more valuable information. Chanitor takes important measures to deter PC security researchers significantly.
This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.