Hackers Weaponize Word Files To Deliver DanaBot Malware

Recent email campaigns distribute DanaBot malware through two document types: those using equation editor exploits and those containing external links, where attackers send emails disguised as job applications with a malicious Word document attached. 

The document itself doesn’t contain malware but instead tricks the user into clicking an external link that initiates the DanaBot infection process. 

The email with a malicious document attached

The Endpoint Detection and Response (EDR) system discovered a suspicious process chain that a user opened by clicking on a malicious email attachment.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

The attachment, a Word document (.docx), caused Outlook (outlook.exe) to run a sequence that involved Word (winword.exe), Command Prompt (cmd.exe), PowerShell (powershell.exe), and a potentially malicious executable (iu4t4.exe) using rundll32.exe. 

feature in the attached malicious Word document (downloading w1p3nx.dotm through an external link address)

The malicious macro document (w1p4nx.dotm) executes encoded CMD commands that are decoded using the macro code, which include a PowerShell script that downloads DanaBot malware (iu4t4.exe) from a command-and-control server (C2). 

The Endpoint Detection and Response (EDR) system confirms the decoded commands and the creation of the DanaBot executable in the C:\Users\Public directory via PowerShell. 

The downloaded EXE file (DanaBot malware)

The analysis by ASEC of the EDR diagrams reveals DanaBot’s (iu4t4.exe) self-injection technique, where the malware leverages rundll32.exe to execute shell32.dll’s functionalities, effectively operating under its disguise, allowing DanaBot to bypass detection and establish persistence. 

EDR diagram (taking screenshots and exfiltrating PC information and browser account credentials)

The EDR data indicates the malware’s malicious activities post-infection, which can capture screenshots, steal sensitive information from the PC, and pilfer browser account credentials, potentially compromising the system without requiring constant communication with its command and control server. 

An incident involving a potential malware infection was detected, and scripting and malware execution attempts were observed (M10747, M10459). Downloaded files (DOCX, DOTM) were flagged as suspicious (Downloader/XML.External, Downloader/DOC.Generic.S2503). 

Further analysis revealed a Trojan (Trojan/Win.DANABOT.C5608053) with associated IOCs (0bb0ae135c2f4ec39e93dcf66027604d.DOCX, 28fd189dc70f5bab649e8a267407ae85.DOTM, e29e4a6c31bd79d90ab2b89f57075312.exe).

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.