⚠️ Overview

DawDropper is a lightweight dropper malware first documented by researchers at Trend Micro in early 2022, primarily used to deliver secondary payloads such as remote access trojans (RATs) and information stealers against targets in the Asia-Pacific region. It is attributed to the threat group tracked as Earth Preta (also known as Mustang Panda), a state-sponsored cluster likely operating from China, and is categorized as a malware delivery tool rather than a standalone trojan or ransomware.

🔧 Technical Capabilities

DawDropper propagates through spear-phishing emails containing weaponized Microsoft Office documents or compiled HTML help (CHM) files that exploit CVE-2017-11882 (Equation Editor vulnerability) or CVE-2021-40444 (MSHTML remote code execution). Once executed, the dropper establishes persistence by creating scheduled tasks or adding registry run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. It communicates with command-and-control (C2) servers over HTTP using encrypted AES-256 payloads, often mimicking legitimate traffic by spoofing User-Agent strings such as Mozilla/5.0 (Windows NT 10.0; Win64; x64). Evasion techniques include binary padding, anti-debugging checks (IsDebuggerPresent), and delaying execution to bypass sandbox analysis.

📜 History & Notable Incidents

First observed in March 2022 by Trend Micro’s Zero Day Initiative, DawDropper was used in a campaign targeting government entities and telecommunications providers in Myanmar and the Philippines during April–June 2022. No CVEs are directly attributed to DawDropper beyond the exploitation of CVE-2017-11882 and CVE-2021-40444. The malware has not been linked to any known law enforcement takedowns, but its infrastructure overlaps with Mustang Panda’s use of cloud-based C2 servers hosted on Vultr and Alibaba Cloud.

🔍 Detection Indicators

Known file hashes for DawDropper samples include SHA-256 8a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b (a representative hash from Trend Micro’s report). Behavioral signatures include creation of files in the %Temp% directory with random .tmp or .exe extensions, outbound HTTP POST requests to URLs containing /get.php or /upload.php, and registry modifications under HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced to disable firewall notifications.

☠️ Risk & Impact

DawDropper’s primary risk lies in its role as a delivery mechanism for more damaging payloads, often resulting in data exfiltration of credentials and documents from victim networks. Financial losses are indirect, stemming from incident response costs and data breach remediation, with the telecommunications and government sectors in Southeast Asia being most affected. Academic analysis by BlackBerry’s Threat Research team (2023) highlighted its use in spear-phishing campaigns that compromised at least 15 organizations across the region.

🛡️ Mitigation

Defenders should apply security patches for CVE-2017-11882 and CVE-2021-40444, enable macro-blocking in Microsoft Office via Group Policy, and deploy network detection rules (e.g., Suricata or Snort signatures) for HTTP requests to suspicious /get.php endpoints. Trend Micro’s report recommends endpoint detection rules for process creation anomalies and registry persistence modifications using MITRE ATT&CK techniques T1059.001 (Command and Scripting Interpreter) and T1547.001 (Registry Run Keys / Startup Folder).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.