SANNY Malware

SANNY is a macro-based malware that is known to be used by a malicious group based out of Korea. The malware is spread via spam and phishing campaigns in a Word document attached to the email and its aim is to extract data of the user’s system.

Threat ID:: CC-2188
Category:
Threat Severity:: Low
Threat Vector:
Published:: 28 March 2018 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Threat details

Once the Word document has been accessed, a malicious command is embedded in a text box which when macros are enabled will execute the command. The malware then uses legitimate Microsoft Windows executables (certutil.exe) to download a text file which is an encoded Cabinet file (CAB) from the base URL: hxxp://more.1apps[.]com/ . This then aims to avoid detection of antivirus software and embed itself into the Windows directory. The CAB file then uses the ipnet.dll component to hijack the system and begin data exfiltration.

SANNY uses the File transfer protocol (FTP) to communicate with the Command and Control server (C2) which is stored and encoded inside the ipnet.dll component.

Remediation advice

To prevent and detect a trojan infection, ensure that:

Remediation steps

Type	Step
	A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, antivirus and other security products are kept up to date. Regular full system antivirus scans are performed across the estate. All day to day computer activities such as email and internet are performed using non-administrative accounts. Strong password policies are in place and password reuse is discouraged. Network, proxy and firewall logs should be monitored for suspicious activity. User accounts accessed from infected machines should be reset on a clean computer

Type

Step

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, antivirus and other security products are kept up to date.
Regular full system antivirus scans are performed across the estate.
All day to day computer activities such as email and internet are performed using non-administrative accounts.
Strong password policies are in place and password reuse is discouraged.
Network, proxy and firewall logs should be monitored for suspicious activity.
User accounts accessed from infected machines should be reset on a clean computer

Last edited: 6 September 2021 4:20 pm