Recent email campaigns distribute DanaBot malware through two document types: those using equation editor exploits and those containing external links, where attackers send emails disguised as job applications with a malicious Word document attached.
The document itself doesn’t contain malware but instead tricks the user into clicking an external link that initiates the DanaBot infection process.
The Endpoint Detection and Response (EDR) system discovered a suspicious process chain that a user opened by clicking on a malicious email attachment.
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers
The attachment, a Word document (.docx), caused Outlook (outlook.exe) to run a sequence that involved Word (winword.exe), Command Prompt (cmd.exe), PowerShell (powershell.exe), and a potentially malicious executable (iu4t4.exe) using rundll32.exe.
The malicious macro document (w1p4nx.dotm) executes encoded CMD commands that are decoded using the macro code, which include a PowerShell script that downloads DanaBot malware (iu4t4.exe) from a command-and-control server (C2).
The Endpoint Detection and Response (EDR) system confirms the decoded commands and the creation of the DanaBot executable in the C:UsersPublic directory via PowerShell.
The analysis by ASEC of the EDR diagrams reveals DanaBot’s (iu4t4.exe) self-injection technique, where the malware leverages rundll32.exe to execute shell32.dll’s functionalities, effectively operating under its disguise, allowing DanaBot to bypass detection and establish persistence.
The EDR data indicates the malware’s malicious activities post-infection, which can capture screenshots, steal sensitive information from the PC, and pilfer browser account credentials, potentially compromising the system without requiring constant communication with its command and control server.
An incident involving a potential malware infection was detected, and scripting and malware execution attempts were observed (M10747, M10459). Downloaded files (DOCX, DOTM) were flagged as suspicious (Downloader/XML.External, Downloader/DOC.Generic.S2503).
Further analysis revealed a Trojan (Trojan/Win.DANABOT.C5608053) with associated IOCs (0bb0ae135c2f4ec39e93dcf66027604d.DOCX, 28fd189dc70f5bab649e8a267407ae85.DOTM, e29e4a6c31bd79d90ab2b89f57075312.exe).
On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free