Cyber Security

Hackers Weaponize Word Files To Deliver DanaBot Malware

by Esmeralda McKenzie
written by Esmeralda McKenzie
Hackers Weaponize Word Files To Deliver DanaBot Malware

Hackers Weaponize Word Files To Deliver DanaBot Malware

Hackers Weaponize Observe Recordsdata To Raise DanaBot Malware

Latest electronic mail campaigns distribute DanaBot malware by two doc kinds: these the exercise of equation editor exploits and these containing external hyperlinks, where attackers ship emails disguised as job purposes with a malicious Observe doc attached.

The doc itself doesn’t have malware but as an different tricks the person into clicking an external hyperlink that initiates the DanaBot an infection process.

EHA

Capture%20(62)
The electronic mail with a malicious doc attached

The Endpoint Detection and Response (EDR) map came across a suspicious process chain that a person opened by clicking on a malicious electronic mail attachment.

The attachment, a Observe doc (.docx), precipitated Outlook (outlook.exe) to lag a series that interested Observe (winword.exe), State Counseled (cmd.exe), PowerShell (powershell.exe), and a potentially malicious executable (iu4t4.exe) the exercise of rundll32.exe.

Capture%20(63)
characteristic in the attached malicious Observe doc (downloading w1p3nx.dotm by an external hyperlink address)

The malicious macro doc (w1p4nx.dotm) executes encoded CMD commands that are decoded the exercise of the macro code, which include a PowerShell script that downloads DanaBot malware (iu4t4.exe) from a expose-and-regulate server (C2).

The Endpoint Detection and Response (EDR) map confirms the decoded commands and the advent of the DanaBot executable in the C:UsersPublic directory by means of PowerShell.

Capture%20(64)
The downloaded EXE file (DanaBot malware)

The diagnosis by ASEC of the EDR diagrams finds DanaBot’s (iu4t4.exe) self-injection technique, where the malware leverages rundll32.exe to enact shell32.dll’s functionalities, successfully working under its conceal, allowing DanaBot to avoid detection and set persistence.

Capture%20(65)
EDR arrangement (taking screenshots and exfiltrating PC recordsdata and browser account credentials)

The EDR records indicates the malware’s malicious activities put up-an infection, which would possibly snatch screenshots, take hold of sensitive recordsdata from the PC, and pilfer browser account credentials, potentially compromising the map with out requiring constant verbal replace with its expose and regulate server.

An incident exciting a capacity malware an infection used to be detected, and scripting and malware execution attempts web been noticed (M10747, M10459). Downloaded files (DOCX, DOTM) web been flagged as suspicious (Downloader/XML.Exterior, Downloader/DOC.Generic.S2503).

Additional diagnosis published a Trojan (Trojan/Safe.DANABOT.C5608053) with connected IOCs (0bb0ae135c2f4ec39e93dcf66027604d.DOCX, 28fd189dc70f5bab649e8a267407ae85.DOTM, e29e4a6c31bd79d90ab2b89f57075312.exe).

Source credit : cybersecuritynews.com

Related Posts

Italy Fines OpenAI €15 Million for ChatGPT GDPR...

CISA Adds Critical Flaw in BeyondTrust Software to...

Hackers Exploiting Critical Fortinet EMS Vulnerability to Deploy...

LockBit Developer Rostislav Panev Charged for Billions in...

Sophos Issues Hotfixes for Critical Firewall Flaws: Update...

Lazarus Group Spotted Targeting Nuclear Engineers with CookiePlus...

Rspack npm Packages Compromised with Crypto Mining Malware...

Thousands Download Malicious npm Libraries Impersonating Legitimate Tools

Critical Apache Struts Flaw Found, Exploitation Attempts Detected

HubPhish Exploits HubSpot Tools to Target 20,000 European...