Early variants of DanaBot were first
reported in 2018 when it was considered a novel banking trojan that was used in
phishing campaigns targeting customers in Australia and Canada – it included
web injections and stealer functions.
It is confirmed that recent DanaBot
campaigns have moved to Europe and they are now dropping executable files
containing ransomware written in the programming language Delphi. Further
capabilities include stealing browser credentials, it can initiate remote
desktop control on targeted systems and run a local proxy to manipulate web
traffic.
From the beginning till now, the initial
means of infection by this bot is still a phishing attack. Criminals send
messages that entice recipients to interact with an attachment that downloads a
VBS script, which functions as the DanaBot dropper.
The addition of a ransomware component
to DanaBot was spotted recently, indicating that operators had tweaked a
variant of NonRansomware that enumerates files on local drives and then
encrypts all of them except the Windows directory. It appears to have outgrown
the banking Trojan category. The operators have recently been experimenting
with cunning email-address-harvesting and spam-sending features, that are
capable of misusing webmail accounts of the victims for further malware
distribution.
The researchers have also found that
DanaBot operators have been cooperating with the criminals behind GootKit, that
is another advanced Trojan. However, this is a behavior atypical of the
otherwise independently operating groups.
How DanaBot operates can be broken down
into two main features:
- DanaBot
harvests email addresses from existing victims’ mailboxes. It is achieved
by injecting a malicious script into each of the targeted webmail
service’s webpages once a victim logs, which furth processes the victim’s
emails and sends all email addresses to a C&C server. - In
case webmail is based on the Open-Xchange suite, DanaBot uses a script
that can use the victim’s mailbox to send spam to the harvested email
addresses. What further complicates things is that the malicious emails
are sent as replies to the actual emails found in the compromised
mailboxes – it appears as the mailbox owners themselves are sending them
and they have valid digital signatures.
It appears that the attackers are
particularly interested in email addresses that contain the string „pec”
which is mostly found in Italy-specific electronic mail addresses. It seems as
DanaBot operators are focused on targeting corporate and public administration
emails which need this certification service.
The malicious emails include ZIP
attachments, that are pre-downloaded from the attacker’s server, containing a
PDF file and a VBS file. It the moments a VBS file is executed it leads to
downloading further malware that can use PowerShell command.
The researchers have found similarities
between the malicious VBS file that operates on DanaBot’s servers with a
downloader module for GootKit. GootKit is a stealthy Trojan that is used for
the banking fraud attacks. It seems as GootKit has been operating by other
malware – which is a new behavior in the attacker’s world.
Some of the indicators that DanaBot and
GootKit have been operating together is the example of a significant decrease
in the distribution of DanaBot in Poland; however, there was a spike of
activity of GootKit. GootKit has been spreading using the same method as
DanaBot.
DanaBot has similarities with other
malware families. It allows the developers to use similar webinject scripts or
if needed, reuse third-party scripts.
It appears that DanaBot has been used in
sextortion cases also. It uses the system different from extortion – instead of
threats, the email body contains enticing text about sexual favors. The senders
are asking for bitcoins as financial support in exchange for sex videos and/or
photographs. Also, the sender usually attaches „personal video clips” in
order to lure the email recipient into clicking.
Here is the list of the most used
plug-ins in previous DanaBot attacks:
- VNC
plug-in – it establishes a connection to a victim’s computer and can
control it - Sniffer
plug-in – it injects malicious scripts into a victim’s browser, mostly
while visiting internet banking sites - Tor
plug-n – installs a TOR proxy that enables the access to .onion web sites - Stealer
plug-in – collects the passwords from a wide variety of application (poker
programs, chat, and email programs, browsers, VPN clients, etc.)
Last year, DanaBot has implemented the
RDP plug-in that provides Remote Desktop Protocol connections to Windows
machines which do not normally support it. This plug-in may be implemented also
because the protocol is less likely to blocked by firewalls, and it allows
several users to use the same machine concurrently.
It seems as DanaBot has been recently
targetting other countries as well, including Germany, Australia and Ukraine.
The biggest campaign of DanaBot has been
in Poland, which is still ongoing and the largest one.
The risk of DanaBot being implemented
into systems of the users is still highly ongoing. DanaBot keeps evolving and
posing one of the biggest malware threats in recent times.
Source: ProofPoint, TrustWave, HowToRemove