Mitigating a Danabot Banking Malware Attack with SecureCyber MXDR

Summary / Overview

SecureCyber's Managed Extended Detection and Response (MXDR) platform successfully identified, contained, and remediated a sophisticated attack involving the Danabot banking
malware. The incident demonstrates the power of automated threat detection, rapid response, and in-depth forensic investigation in combating advanced threats.

Challenge: Identifying and Containing a Novel Malware Attack

SecureCyber's MXDR network monitoring detected beacon activity associated with Danabot banking malware's command and control (C2) communications. The challenge lay in isolating the malicious endpoint while ensuring minimal disruption to business operations. Additionally, the advanced techniques used by Danabot to mask its activities required a deep forensic analysis to uncover the full attack path.

Solution: End-to-End Incident Response and Forensic Analysis

• • Upon detecting the malware beacon, SecureCyber MXDR automated containment measures were initiated to isolate the compromised endpoint from the network.
  • Security analysts reviewed and confirmed the alert, escalating it to an incident.
  • MXDR response tools were used to disable the user's Active Directory account, further preventing lateral movement.

• SecureCyber SOC analysts coordinated with the client to physically quarantine the device.
• A DFIR (Digital Forensic and Incident Response) triage was performed to assess the extent of the compromise.
• The SecureCyber Forensic and Incident Response team collected the device for in-depth analysis.

• Analysts collaborated with cyber intelligence partners to gather information on known Danabot tactics, techniques, and procedures (TTPs).
• This intelligence was integrated into the forensic investigation, accelerating the analysis process.

• Attack Vector: The attack began when the victim downloaded a fake report related to "Missing Funds." The report contained a zip file with a JavaScript loader, which subsequently downloaded an AutoIT script loader.
• Persistence Mechanism: Persistence was established via Windows Registry keys.
• Process Injection: The AutoIT stage performed a process injection attack into the legitimate Google Updater executable GoogleUpdateCore.exe.
• C2 Evasion: Command and control infrastructure was hosted on Google Cloud Compute, leveraging Google IP addresses to blend malicious traffic with legitimate network activity.

• Forensic analysts isolated and enumerated malicious internet hosts and command and control traffic.
• Indicators of Compromise (IOCs) were fed into the SecureCyber Shield for real-time threat blocking across client environments.
• The MXDR Automated Threat Hunting platform initiated hunts across client systems to ensure no residual threats remained.

• Reverse engineering of the malware confirmed its identity as Danabot. Analysts validated components and techniques against known Malware Analysis Reports.

Results: Comprehensive Protection Across Client Environments

• Real-Time Threat Blocking: The SecureCyber Shield provided immediate protection against identified indicators of compromise.
• Proactive Threat Hunting: The MXDR Automated Threat Hunting platform cleared all client environments of Danabot-related threats.
• Enhanced Understanding: The forensic investigation deepened understanding of Danabot’s attack techniques, bolstering future defenses.