DanaBot malware keeps evolving

RapidVPN/ August 23, 2019/ Blog/

Early variants of DanaBot were first reported in 2018 when it was considered a novel banking trojan that was used in phishing campaigns targeting customers in Australia and Canada – it included web injections and stealer functions.

It is confirmed that recent DanaBot campaigns have moved to Europe and they are now dropping executable files containing ransomware written in the programming language Delphi. Further capabilities include stealing browser credentials, it can initiate remote desktop control on targeted systems and run a local proxy to manipulate web traffic.

From the beginning till now, the initial means of infection by this bot is still a phishing attack. Criminals send messages that entice recipients to interact with an attachment that downloads a VBS script, which functions as the DanaBot dropper.

The addition of a ransomware component to DanaBot was spotted recently, indicating that operators had tweaked a variant of NonRansomware that enumerates files on local drives and then encrypts all of them except the Windows directory. It appears to have outgrown the banking Trojan category. The operators have recently been experimenting with cunning email-address-harvesting and spam-sending features, that are capable of misusing webmail accounts of the victims for further malware distribution.

The researchers have also found that DanaBot operators have been cooperating with the criminals behind GootKit, that is another advanced Trojan. However, this is a behavior atypical of the otherwise independently operating groups.

How DanaBot operates can be broken down into two main features:

  • DanaBot harvests email addresses from existing victims’ mailboxes. It is achieved by injecting a malicious script into each of the targeted webmail service’s webpages once a victim logs, which furth processes the victim’s emails and sends all email addresses to a C&C server.
  • In case webmail is based on the Open-Xchange suite, DanaBot uses a script that can use the victim’s mailbox to send spam to the harvested email addresses. What further complicates things is that the malicious emails are sent as replies to the actual emails found in the compromised mailboxes – it appears as the mailbox owners themselves are sending them and they have valid digital signatures.

It appears that the attackers are particularly interested in email addresses that contain the string „pec” which is mostly found in Italy-specific electronic mail addresses. It seems as DanaBot operators are focused on targeting corporate and public administration emails which need this certification service.

The malicious emails include ZIP attachments, that are pre-downloaded from the attacker’s server, containing a PDF file and a VBS file. It the moments a VBS file is executed it leads to downloading further malware that can use PowerShell command.

The researchers have found similarities between the malicious VBS file that operates on DanaBot’s servers with a downloader module for GootKit. GootKit is a stealthy Trojan that is used for the banking fraud attacks. It seems as GootKit has been operating by other malware – which is a new behavior in the attacker’s world.

Some of the indicators that DanaBot and GootKit have been operating together is the example of a significant decrease in the distribution of DanaBot in Poland; however, there was a spike of activity of GootKit. GootKit has been spreading using the same method as DanaBot.

DanaBot has similarities with other malware families. It allows the developers to use similar webinject scripts or if needed, reuse third-party scripts.

It appears that DanaBot has been used in sextortion cases also. It uses the system different from extortion – instead of threats, the email body contains enticing text about sexual favors. The senders are asking for bitcoins as financial support in exchange for sex videos and/or photographs. Also, the sender usually attaches „personal video clips” in order to lure the email recipient into clicking.

Here is the list of the most used plug-ins in previous DanaBot attacks:

  • VNC plug-in – it establishes a connection to a victim’s computer and can control it
  • Sniffer plug-in – it injects malicious scripts into a victim’s browser, mostly while visiting internet banking sites
  • Tor plug-n – installs a TOR proxy that enables the access to .onion web sites
  • Stealer plug-in – collects the passwords from a wide variety of application (poker programs, chat, and email programs, browsers, VPN clients, etc.)

Last year, DanaBot has implemented the RDP plug-in that provides Remote Desktop Protocol connections to Windows machines which do not normally support it. This plug-in may be implemented also because the protocol is less likely to blocked by firewalls, and it allows several users to use the same machine concurrently.

It seems as DanaBot has been recently targetting other countries as well, including Germany, Australia and Ukraine.

The biggest campaign of DanaBot has been in Poland, which is still ongoing and the largest one.

The risk of DanaBot being implemented into systems of the users is still highly ongoing. DanaBot keeps evolving and posing one of the biggest malware threats in recent times.

Source: ProofPoint, TrustWave, HowToRemove