Hackers Weaponize Word Files to Deliver DanaBot Malware

Documents that contain external links and those that use equation editor exploits are the two types of documents that have been used in recent email campaigns to spread the DanaBot malware. 

The analysis focuses on the latter method, where attackers send emails disguised as job applications with a malicious Word document attached. 

The document contains an external link, likely evading initial detection by security software. Clicking the link triggers the DanaBot infection flow, which can be traced and investigated using AhnLab EDR’s detection capabilities.  

The email with a malicious document attached

The analysis of Endpoint Detection and Response (EDR) data reveals a suspicious process chain started by a user opening a malicious email attachment. The attachment, a .docx file, was executed through Outlook.exe, triggering a sequence involving Winword.exe, cmd.exe, powershell.exe, and finally an unknown executable, iu4t4.exe, launched via rundll32.exe. 

Further investigation by ASEC into the attachment identified an external link embedded within the Word document, which, when activated upon opening the .docx file, downloads an additional macro document (w1p3nx.dotm). 

A feature in the attached malicious Word document (downloading w1p3nx.dotm through an external link address)

The EDR data confirms this download activity started by the WINWORD.EXE process, strongly indicating a potential malware infection targeting the user’s system. 

EDR diagram (evidence of w1p3nx.dotm being created and executed)

The macro document (w1p4nx.dotm) revealed malicious code that decodes and executes encoded CMD commands. The EDR (Endpoint Detection and Response) system identified these decoded commands, which included a PowerShell script to download DanaBot malware (iu4t4.exe) from a Command and Control (C2) server. 

The downloaded file was found in the C:\Users\Public directory, and further EDR evidence confirmed its creation via PowerShell, which indicates a multi-stage attack where a macro downloads additional malware using PowerShell. 

EDR diagram (confirms the existence of the decoded CMD command that downloads an EXE file)

The DanaBot malware, iu4t4.exe, leverages rundll32.exe to reinject itself by exploiting shell32.dll’s functionalities, enabling DanaBot to operate under the shell32.dll process, making detection more challenging. 

EDR diagram (taking screenshots and exfiltrating PC information and browser account credentials)

Furthermore, analysis of the EDR endpoint detection and response data reveals that DanaBot exhibits malicious behavior even without a connection to its command and control server, including taking screenshots and exfiltrating sensitive information such as PC details and browser account credentials. 

DanaBot malware leverages DOCX/DOTM files containing external links to bypass macro detection. The emails distributing DanaBot are disguised as job applications to deceive recipients into opening the malicious documents. 

EDR solutions can detect DanaBot using the following behavioral detection signatures: MDP.Scripting.M10747 and EDR.Malware.M10459, the IOCs associated with the DanaBot samples: 0bb0ae135c2f4ec39e93dcf66027604d (.DOCX), 28fd189dc70f5bab649e8a267407ae85 (.DOTM), and e29e4a6c31bd79d90ab2b89f57075312 (Danabot EXE).

Also Read: Researchers Hacked Apple Infrastructure Using SQL Injection WIth RCE bug

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here