Documents that contain external links and those that use equation editor exploits are the two types of documents that have been used in recent email campaigns to spread the DanaBot malware.
The analysis focuses on the latter method, where attackers send emails disguised as job applications with a malicious Word document attached.
The document contains an external link, likely evading initial detection by security software. Clicking the link triggers the DanaBot infection flow, which can be traced and investigated using AhnLab EDR’s detection capabilities.
The analysis of Endpoint Detection and Response (EDR) data reveals a suspicious process chain started by a user opening a malicious email attachment. The attachment, a .docx file, was executed through Outlook.exe, triggering a sequence involving Winword.exe, cmd.exe, powershell.exe, and finally an unknown executable, iu4t4.exe, launched via rundll32.exe.
Further investigation by ASEC into the attachment identified an external link embedded within the Word document, which, when activated upon opening the .docx file, downloads an additional macro document (w1p3nx.dotm).
The EDR data confirms this download activity started by the WINWORD.EXE process, strongly indicating a potential malware infection targeting the user’s system.
The macro document (w1p4nx.dotm) revealed malicious code that decodes and executes encoded CMD commands. The EDR (Endpoint Detection and Response) system identified these decoded commands, which included a PowerShell script to download DanaBot malware (iu4t4.exe) from a Command and Control (C2) server.
The downloaded file was found in the C:\Users\Public directory, and further EDR evidence confirmed its creation via PowerShell, which indicates a multi-stage attack where a macro downloads additional malware using PowerShell.
The DanaBot malware, iu4t4.exe, leverages rundll32.exe to reinject itself by exploiting shell32.dll’s functionalities, enabling DanaBot to operate under the shell32.dll process, making detection more challenging.
Furthermore, analysis of the EDR endpoint detection and response data reveals that DanaBot exhibits malicious behavior even without a connection to its command and control server, including taking screenshots and exfiltrating sensitive information such as PC details and browser account credentials.
DanaBot malware leverages DOCX/DOTM files containing external links to bypass macro detection. The emails distributing DanaBot are disguised as job applications to deceive recipients into opening the malicious documents.
EDR solutions can detect DanaBot using the following behavioral detection signatures: MDP.Scripting.M10747 and EDR.Malware.M10459, the IOCs associated with the DanaBot samples: 0bb0ae135c2f4ec39e93dcf66027604d (.DOCX), 28fd189dc70f5bab649e8a267407ae85 (.DOTM), and e29e4a6c31bd79d90ab2b89f57075312 (Danabot EXE).
Also Read: Researchers Hacked Apple Infrastructure Using SQL Injection WIth RCE bug