Last Updated: 2021-08-14 02:14:07 UTC
by Guy Bruneau (Version: 1)
Scanning for Microsoft Exchange eDiscovery
In the past week, I have notice more scans looking for the following Exchange URL over port 443: /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application
What I have also noticed, all these scans for this URL are all from the same subnet (AS14061) DIGITALOCEAN-192-241-128-0.
This activity is likely linked to April Patch Tuesday (CVE-2021-28481) where "Also of significant note are the Microsoft Exchange Server Remote Code Execution vulnerabilities across versions 2013 - 2019. No known exploits are being reported however the CVSS score sits at 9.8, tread carefully. With a Critical rating, and a high CVSS score, those patches are worth reviewing in depth."
Based on this graph, these scans started almost immediately (17 April 2021) after April patch Tuesday and are still ongoing today.
20210812-170532: 192.168.25.9:443-188.8.131.52:48302 data
GET /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application HTTP/1.1
User-Agent: Mozilla/5.0 zgrab/0.x
Indicators of Compromise
184.108.40.206/17 → AS14061
Have you noticed an increase in scans for this URL?
Last Updated: 2021-08-13 01:57:06 UTC
by Brad Duncan (Version: 1)
Danabot is an information stealer known for targeting banking data on infected Windows hosts. According to Proofpoint, Danabot version 4 started appearing in the wild in October 2020.
We recently discovered a Danabot sample during an infection kicked off by an email attachment sent on Thursday 2021-08-12.
Today's diary reviews this Danabot infection.
The email and attachment
The infection traffic
First, the JS file retrieves a malicious DLL file for Danabot, then runs it on the victim's host. Next comes post-infection Danabot C2 traffic using 192.52.167[.]44 over TCP port 443. Danabot C2 is encoded or otherwise encrypted traffic. In this case, the victim's Windows host had a Google account synced to a Chrome web browser.
Because of this, Danabot generated a great deal of traffic to Google-based domains. It searched for information from the Google account. In this case, the victim's host had no Gmail messages, and no Google services were used.
Shown above: Fiddler decryption of HTTPS traffic caused by Danabot to Google-based domains from the infected Windows host.
If the victim used their web browser for online banking, e-commerce, or similar web-based activity, Danabot will check for and steal any login credentials.
Forensics on the infected Windows host
Indicators of Compromise
Malware from an infection:
- File size: 16,358 bytes
- File name: 345346.zip
- File description: Zip archive attached to malspam for Danabot
- File size: 72,345 bytes
- File name: 12.08 - Reports.js
- File size: 1,390,592 bytes
- File location: hxxp://www.bonusesfound[.]ml/update/update.dll
- File location: C:\Users\[username]\AppData\Local\Temp\cNjqsBS.bin
- File description: Danabot DLL
- Run method: Rundll32.exe [filename],S
- Note 1: File name is random for each infection, but it ends with .bin
- Note 2: DLL entry point seems like it might be any value
Traffic from an infected Windows host:
- 46.173.218[.]13 port 80 - www.bonusesfound[.]ml - GET /update/index.php
- 46.173.218[.]13 port 80 - www.bonusesfound[.]ml - GET /update/update.dll
- 192.52.167[.]44 port 443 - no associated domain - encoded/encrypted TCP traffic for Danabot C2
- various IP addresses - various legitimate domains - Danabot checking sites for login credentials and other sensitive info
Decent spam filters and best security practices can help you avoid Danabot. Default security settings in Windows 10 should prevent these types of infections from happening.
But as I mentioned in my previous diary, this is a "cat-and-mouse" game. Malware developers try new ways to circumvent security measures, while vendors update their software, applications, and endpoint protection to address these developments.
As usual, mass-distribution methods like malspam remain cheap and profitable for cyber criminals, so keep an eye out for Danabot and other types of commodity malware.
brad [at] malware-traffic-analysis.net