DanaBot Banking Trojan Regains Its Foothold in the Threat Landscape

Researchers have found that a new Malware-as-a-Service (MaaS) strain of DanaBot banking trojan has resurfaced after being silent for a few months. Research indicates that it has been distributed through pirated software keys of major free VPNs, antivirus software, and pirated games that a user might be tricked into downloading through social engineering techniques.  

DanaBot was first discovered by Proofpoint in 2018, and it was one of the top banking malware used in the cybercrime threat landscape, initially targeting users in Australia via Phishing emails. There have been three different variants of DanaBot developed by cybercriminals from May 2018 to June 2020. The second variant has been known to target financial institutions in the United States as part of a series of large campaigns. The third variant, which emerged in February 2019 with enhanced command and control structure, targeted other regions such as Canada, Germany, the UK, Australia, Italy, Poland, Mexico, and Ukraine. 

The new fourth version of the DanaBot banking trojan has surfaced after months of inactivity. In this blog post, we will technically analyze the latest variant of the DanaBot banking trojan.  

DanaBot has multi-stage infection capability, as seen in other banking trojans. The infection starts with a loader component that decrypts and executes a secondary payload (DLL), leading to a cascading evolution of the cyberattack. The motivation and capabilities of DanaBot include harvesting application and service credentials, network query theft, stealing sensitive data, ransomware infection, screenshot spying, collecting browser data, and stealing cryptocurrency wallets. 

danabot troyano ciberseguridad versiones mejoradas thumb 1280

Technical Analysis: 

The file we have analyzed is a UPX-packed Delphi compiled file, which is a large, multi-threaded, and modular trojan that decompiles, decrypts, and executes secondary DLL runtime. The static file information with the packer detail is shown below. 

Upon loading of the secondary DLL, it removes installer components and reruns itself using rundll32.exe with a special export function named “aVAZ3BxwAnz5”. The command line parameters of the DLL are shown below. 

C:\Windows\system32\RUNDLL32.EXE C:\Users\[removed]\Desktop\C0EB80~1.DLL,aVAZ3BxwAnz5 

As highlighted above, the DLL export name is base64 encoded. The first three bytes are subtracted by each other, and this value determines the running mode of the DLL components with four options such as 0 – main, 1 – TOR module, 2 – process injection of additional payload downloaded, and 3 – additional module.  

As per our analysis, the following specific set of technical challenges or anti-analysis tricks were seen to be used by the DanaBot banking trojan: 

  • The malware constructs strings by one character at a time 
  • Some Windows API functions are resolved at runtime
  • When a malware-related file is read or written to the file system, it is done in the middle of a benign decoy file read or write
  • Persistence is maintained by creating an LNK file that runs the core component in the user’s startup directory

The following figure shows the runtime windows API construction by the DanaBot DLL. 

As described by Proofpoint research, DanaBot has a 356-byte structure of configuration information hardcoded. The following figure shows the configuration of the DanaBot sample. 

The hard-coded configuration data includes affiliated ID, embedded hashes, version, and C2 IP address. As we are aware that DanaBot works as a Malware-as-a-Service, it is believed that one threat actor controls the global command and control server and sells access to others as affiliates. 

As discussed earlier, the DanaBot has a module to switch its functionality to connect with TOR-based C2. The analyzed sample contains the following hard-coded onion link: 5jjsgjephjcua63go2o5donzw5x4hiwn6wh2denn(redacted)[.]onion 

It has been observed that the malware tries to fetch computer information and network computer information, followed by sending it to C2 to propagate later. This is showcased in the debugger image below.  

DanaBot uses binary protocol through port 443, and one of the C2 communication is shown below. 

The command data structure is:  

  • AES-encrypted data  
  • Padding length (4 bytes)  
  • RSA-encrypted session key  
  • RSA signature (in responses) 

The C2 response includes an RSA signature that is verified with an embedded RSA public key in a malware sample, as shown in the debugger dump below. 

We have observed communication to the hard-coded C2 server IP, as shown in the Wireshark image below. 

It is suspected that DanaBot might install additional components, as in the case of the previous variant, such as browser functionality with code injection, keylogging, video recording, and VNC/RDP. 

As seen in the past, DanaBot was one of the most distributed banking malware in the threat landscape, targeting financial organizations across multiple countries. It was dormant for quite a few months in 2020, which may be due to COVID-19 campaigns targeting multiple regions. However, this is still unclear. With the recent emergence of the new variant, it appears that DanaBot may be trying to regain its foothold with enhanced techniques and infection vectors, such as spear phishing campaigns. 

Indicators of Compromise (IOCs): 

Indicator  Type Description 
c0eb802f394e758da4feb0d6c3b817bf1f64880ab9bc851937d5ef774161585d  SHA-256  DanaBot Installer affiliate ID 3  
23.226.132.92  IP Address  C2 server IP 
23.106.123.249  IP Address  C2 server IP 
108.62.141.152  IP Address  C2 server IP 
104.144.64.163  IP Address  C2 server IP 
5jjsgjephjcua63go2o5donzw5x4hiwn6wh2dennmyq65pbhk6qflzyd\.onion  Hostname  TOR link 
83a67ecd166b919255b264718993c284a3238971a24c939c45e0c525f3361a43  SHA-256  DanaBot Installer  
149.129.212.179  IP Address  C2 server IP 
47.254.247.133  IP Address  C2 server IP 
159.89.114.62  IP Address  C2 server IP 
138.197.139.56  IP Address  C2 server IP 
ab3c72aaacbe2c99646bf4d91e177585631b164f8cd9e9e5eb7a180ce7d945d5  SHA-256  600117809bae5__Adobe-Photoshop-CC-2211138-Crack-Incl-Keygen-X64-2021.zip  
ceb0ad27aaf97a5a33664f49aa107ca421c3f0a6e0b9a3c37f93455a258f3c04  SHA-256    DanaBot downloaded from hxxp[:]//45.147.230[.]58/palata.exe 

Security Recommendations: 

  • Ensure antivirus software and associated files are up to date 
  • Search for existing signs of the indicated IOCs in your environment 
  • Consider blocking or setting up detection for all URL and IP-based IOCs 
  • Keep applications and operating systems running at the current released patch level 
  • Exercise caution while opening attachments and links in emails 
  • Keep systems fully patched to effectively mitigate vulnerabilities 

About Cyble

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com

Leave a Comment

Your email address will not be published.

%d bloggers like this: