DanDrop Description

DanDrop is a malware dropper tool, part of the arsenal of an Advanced Persistent Threat (APT) group called Lyceum or Hexane, by the cybersecurity community. DanDrop is delivered in the first stage of Lyceum's attack chain and is responsible for creating a copy of the hackers' main malware tool - a Remote Access Trojan called DanBot.

To deliver DanDrop onto the targeted computer, it is embedded into Microsoft Office documents as a VBA macro. The documents carrying the dropper are designed to be as enticing as possible with names such as 'The Worst Passwords of 2017' and 'Top Ten Security Practices.' Documents written in Arabic entirely have also been detected.

The malware itself consists of several VBA functions. The main function is triggered when the targeted user opens a corrupted MS document and is programmed to perform a multitude of actions on the compromised system. First, it sets the visibility of certain sheets with the document, after which it proceeds to create a Users\Public\PublicPics within the MyDocuments directory. The next step is to decrypt Base64-encoded data from the document and store it within two variables named ert and cnf. The variables are then written into two files - ATrce.e and ATrce.ex, after which the files are given the new names of ATrce.exe and ATrce.exe.config. Finally, it calls the SdT function that can start the dropped DanBot payload at a later time.