trickbot banking trojan remote desktop module

Sophisticated and dangerous, DanaBot has resurfaced after laying dormant for seven months.

Researchers are warning that a new fourth version of the DanaBot banking trojan has surfaced after months of mysteriously going quiet. The latest variety, still under analysis by researchers, is raising concerns given the number of past DanaBot effective campaigns.

From May 2018 to June 2020, DanaBot has been a fixture in the crimeware threat landscape, according to Proofpoint, which first discovered the malware in 2018 and posted a debrief on the latest variant Tuesday.

“Starting in late October 2020, we observed a significant update to DanaBot samples appearing in VirusTotal,” wrote Dennis Schwarz, Axel F. and Brandon Murphy, in the collaborative Tuesday report. “While it has not returned to its former scale, DanaBot is malware that defenders should put back on their radar.”

DanaBot the Destructor

DanaBot is a banking trojan that first targeted users in Australia via emails containing malicious URLs. Criminals then developed a second variant and targeted US companies – part of a series of large-scale campaigns. A third variant surfaced in February 2019 that was significantly enhanced with remote command-and-control functionality, according to the ESET researchers who discovered it.

While the most recent fourth version, found by Proofpoint, is unique, it’s unclear from the researcher’s recent report what specific new capabilities, if any, the malware has today. Proofpoint did not reply to press inquiries.

Compared to previous campaigns,  the Tuesday report suggests that this most recent variant comes packed mostly with the same deadly arsenal of tools that have come before. Main features include a ToR component to anonymize communications between the bad-guys and an infected hardware.

As previously reported in DanaBot control panel revealed, we believe DanaBot is set up as a ‘malware as a service’ in which one threat actor controls a global command and control (C&C) panel and infrastructure then sells access to other threat actors known as affiliates,” researchers wrote.

At the DanaBot Core

In general, DanaBot’s multi-stage infection chain starts with a dropper that triggers a cascading evolution of hacks. These include stealing network requests, siphoning off application and service credentials, data exfiltration of sensitive information, ransomware infection, desktop screenshot spying and the dropping of a cryptominer to turn targeted PCs into cryptocurrency worker bees.

With its current analysis, Proofpoint focused on the specific technical changes within the malware’s “Main component.” That facet of the malware included anti-analysis features along with:

  • Some Windows API functions are resolved at run-time.
  • When a malware-related file is read or written to the filesystem, it is done in the middle of benign decoy file reads or writes.
  • Persistence is maintained by creating an LNK file that executes the main component in the user’s Startup directory.

LNK files (or Windows shortcut files) are files created by Windows automatically, whenever a user opens their files. These files are used by Windows for connecting a file type to a specific application used to view or edit digital content.

Incremental Updates Identified

With this new variant, researchers identified several new Affiliate IDs, suggesting that the malware-as-a-service component to DanaBot was very much active and growing. Also flagged were new tactics and techniques for infection.

“Proofpoint researchers were able to narrow down at least one of the DanaBot distribution methods to various software warez and cracks websites that supposedly offer software keys and cracks for a free download, including anti-virus programs, VPNs, graphics editors, document editors, and games,” researchers wrote.

Illicit content or warez tools downloaded from these sites are identified as the initial infection points for this latest fourth variant. One site, promoting a software key generator, bait-and-switched users who thought they were downloading a program crack, but actually the warez file “contained several ‘README’ files and a password-protected archive containing the initial dropper for the malware bundle, ‘setup_x86_x64_install.exe,’” wrote Proofpoint.

“Some of the affiliates that were using [DanaBot] have continued their campaigns using other banking malware (e.g. Ursnif and Zloader). It is unclear whether COVID-19, competition from other banking malware, redevelopment time, or something else caused the dip, but it looks like DanaBot is back and trying to regain its foothold in the threat landscape,” concluded researchers.

Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!