Threat Research

Distribution of DanaBot Malware Detected by AhnLab EDR via Word Files

Ahnlab

DanaBot is distributed via Word documents that contain external links and masquerade as job application forms in phishing emails. AhnLab EDR traces the infection chain from Outlook and Word through CMD and PowerShell to rundll32, where DanaBot is downloaded, loaded, and executed, enabling data theft, screenshots, and browser credential access.
#DanaBot #AhnLabEDR

Keypoints

  • The attack uses spearphishing with a Word document attachment containing an external link to trigger execution.
  • The infection chain progresses through Outlook to Word, then to command-line and PowerShell before launching the payload.
  • External URL loading leads to downloading additional documents (.dotm) and a macro that decodes and executes commands.
  • A macro document (dotm) loaded via the Word file downloads DanaBot (iu4t4.exe) from the C2.
  • The DanaBot payload re-launches via rundll32.exe using shell32.dll parameters.

MITRE Techniques

  • [T1566] Spearphishing Attachment – The attacker employed a document containing an external link to prevent their malicious macro from being detected in an attachment. Quote: β€œThe attached file (.docx) is a Word document that contains an external link.”
  • [T1059] PowerShell – A PowerShell command is used to download the DanaBot malware (iu4t4.exe) from the C2. Quote: β€œreveal a PowerShell command to download the DanaBot malware (iu4t4.exe) from the C2.”
  • [T1059] Command Prompt – The chain shows CMD.exe involved in the sequence decoding/executing commands. Quote: β€œcmd.exe”
  • [T1105] Ingress Tool Transfer – External link mechanism downloads additional documents (.dotm) and loads them. Quote: β€œconnecting to the specified address to download additional documents and load them.”
  • [T1218] Signed Binary Proxy Execution: Rundll32 – DanaBot re-launches itself through rundll32.exe using shell32.dll parameters. Quote: β€œre-launches itself with shell32.dll’s parameters through rundll32.exe.”
  • [T1113] Screen Capture – DanaBot is capable of taking screenshots after infection. Quote: β€œthe malware takes screenshots and collects PC information and browser account credentials.”
  • [T1082] System Information Discovery – The malware collects information from the PC as part of its data theft. Quote: β€œcollect information without being connected to the C2.”

Indicators of Compromise

  • [IOC Type] File Hash – 0bb0ae135c2f4ec39e93dcf66027604d (.DOCX) – Word document initial attachment used in the infection chain
  • [IOC Type] File Hash – 28fd189dc70f5bab649e8a267407ae85 (.DOTM) – Macro-enabled document downloaded/loaded during the attack
  • [IOC Type] File Hash – e29e4a6c31bd79d90ab2b89f57075312 (Danabot EXE) – DanaBot payload downloaded/executed

Read more: https://asec.ahnlab.com/en

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint