Home Malware Programs Droppers DanDrop


Posted: October 8, 2020

DanDrop is a threatening implant, whose development and usage is attributed to a cybercrime organization operating in the Middle East. DanDrop's creators, known as the Lyceum Advanced Persistent Threat (APT) group, are specializing in attacks against companies in the oil, gas and telecommunications. Their threatening operations' goal is to exfiltrate data and credentials from the compromised networks while leaving minimal traces of their activity.

DanDrop Paves the Way for Secondary Payloads

DanDrop appears to be one of the most used first-stage implants of the Lyceum APT. It usually is delivered to the intended target via spear-phishing emails that contain a macro-laced file attachment. The attachment, usually a Microsoft Office document, pretends to be a relevant article or document. Some of the common names that the Lyceum APT hackers use for their decoys are 'The Worst Passwords of 2017' and 'Top 10 Security Practices.' In other cases, the documents had titles written in the native language of the recipient.

The DanDrop Trojan dropper contains a threatening executable in an encrypted state. Upon execution, it will create the folder 'PublicPics' in the 'MyDocuments' directory. After this, it begins decrypting and compiling the payload, which is usually named 'ATrce.exe' and 'ATrce.exe.config.' Finally, it uses a special function to run the executable at a later time.

Mitigating threats like DanDrop can be accomplished with the use of a reliable anti-virus tool, as well as safe Web browsing guidance for all users.