Recent email campaigns have become conduits for the distribution of DanaBot malware, employing two distinct tactics: exploiting equation editor vulnerabilities within document attachments and embedding external links. These emails masquerade as job applications, tricking users into opening malicious Word documents that initiate the DanaBot infection process. Detected by Endpoint Detection and Response (EDR) systems, the malware’s sophisticated approach involves a series of processes, including PowerShell scripts and self-injection techniques, to establish persistence and execute malicious activities on infected systems. Despite efforts to obfuscate its presence, the malware’s activities post-infection pose significant risks, including capturing screenshots, stealing sensitive information, and pilfering browser account credentials.
Analysis of the email campaign’s modus operandi reveals a multi-stage infection process orchestrated by DanaBot, designed to exploit vulnerabilities in both document formats and user behavior. Through encoded CMD commands executed via malicious macros, DanaBot initiates the download of its payload from a command-and-control server, evading detection by leveraging rundll32.exe and shell32.dll functionalities. Furthermore, the malware’s ability to operate autonomously post-infection without consistent communication with its C2 server highlights its stealthy nature, allowing it to carry out nefarious activities discreetly.
Incidents involving potential DanaBot infections have been flagged by security systems, indicating attempts at scripting and malware execution within compromised environments. Suspicious files, primarily DOCX and DOTM formats, have been identified, with associated indicators of compromise (IOCs) pointing to the presence of the DanaBot Trojan. The discovery underscores the importance of robust security measures and ongoing vigilance to detect and mitigate the evolving threats posed by malware campaigns, particularly those leveraging sophisticated techniques to evade detection and infiltrate systems.
