Skip Navigation
BlackBerry Blog

Cylance vs. Man1 Group: The Redux

VIDEOS / 08.29.17 / The Cylance Team


Fileless malware is malicious software that does not present itself as one would normally expect – as an .exe or .dll executable file. In fact, fileless malware may never even save any files on disk at all.

This is exactly what Hancitor does. Hancitor is contained within a weaponized document that comes from the world of the Man1 group. Attackers are now sending malicious emails containing Word attachments with embedded macros. And this is no ordinary macro. The author took the time to write their own base64 decoder and the payload (Hancitor) was encoded and embedded within a secret form field in the macro.

Hancitor is interesting because instead of dropping an executable file on disk and launching it with a macro, the payload is actually encoded into the macro itself and when launched, carves out some space in the system’s memory and executes itself there, so avoiding dropping the file to disk.

Watch Cylance take on fileless malware in our demo video:

VIDEO: Cylance vs. Fileless Malware 

Why is Fileless Malware an Important Issue and Why Should I Be Concerned?

While rare, truly fileless malware is becoming increasing more prevalent because of its ability to evade traditional anti-malware applications. By not dropping files to disk, fileless malware is able to avoid detection until the code has injected itself into memory and is running.

Even anti-malware applications that can inspect macros have difficulty detecting Hancitor because of its unique encoding. The Man1 group doesn’t rely on just any out-of-the-box malware, but instead produces very carefully crafted and engineered malware that continues to bypass anti-malware solutions.

In addition, many organizations rely on ‘perimeter’ defenses to help take out malware before it gets to the end-user’s computer. In this case, Hancitor would not be detected by gateway anti-malware defenses as it doesn’t really present itself until the macro is executed and the payload attempts to shim itself into memory.

To detect fileless malware like Hancitor, you need an advanced anti-malware solution that not only can prevent malicious executables from running, but also can prevent malicious scripts (macros, PowerShell, JavaScript etc.) as well as containing advanced anti-exploit features that monitor processes and their use of system memory.

How Can Cylance Protect Me?

CylancePROTECT® utilizes both methods of preventing fileless malware. Script control prevents the execution of malicious scripts and memory protect monitors running processes and can detect attempts to exploit an application’s memory.

Script control provides a critical ‘front-line’ defense and stops these types of attacks cold by preventing the malicious script from ever executing. Combined with anti-exploitation memory protection, CylancePROTECT is extremely effective at blocking fileless malware attacks like Hancitor. Contact us today to learn more or book a demo.

The Cylance Team

About The Cylance Team

Our mission: to protect every computer, user, and thing under the sun.

Cylance’s mission is to protect every computer, user, and thing under the sun. That's why we offer a variety of great tools and resources to help you make better-informed security decisions.