Researchers have found that a new Malware-as-a-Service (MaaS) strain of DanaBot banking trojan has resurfaced after being silent for a few months. Research indicates that it has been distributed through pirated software keys of major free VPNs, antivirus software, and pirated games that a user might be tricked into downloading through social engineering techniques.
DanaBot was first discovered by Proofpoint in 2018, and it was one of the top banking malware used in the cybercrime threat landscape, initially targeting users in Australia via Phishing emails. There have been three different variants of DanaBot developed by cybercriminals from May 2018 to June 2020. The second variant has been known to target financial institutions in the United States as part of a series of large campaigns. The third variant, which emerged in February 2019 with enhanced command and control structure, targeted other regions such as Canada, Germany, the UK, Australia, Italy, Poland, Mexico, and Ukraine.
The new fourth version of the DanaBot banking trojan has surfaced after months of inactivity. In this blog post, we will technically analyze the latest variant of the DanaBot banking trojan.
DanaBot has multi-stage infection capability, as seen in other banking trojans. The infection starts with a loader component that decrypts and executes a secondary payload (DLL), leading to a cascading evolution of the cyberattack. The motivation and capabilities of DanaBot include harvesting application and service credentials, network query theft, stealing sensitive data, ransomware infection, screenshot spying, collecting browser data, and stealing cryptocurrency wallets.
The file we have analyzed is a UPX-packed Delphi compiled file, which is a large, multi-threaded, and modular trojan that decompiles, decrypts, and executes secondary DLL runtime. The static file information with the packer detail is shown below.
Upon loading of the secondary DLL, it removes installer components and reruns itself using rundll32.exe with a special export function named “aVAZ3BxwAnz5”. The command line parameters of the DLL are shown below.
As highlighted above, the DLL export name is base64 encoded. The first three bytes are subtracted by each other, and this value determines the running mode of the DLL components with four options such as 0 – main, 1 – TOR module, 2 – process injection of additional payload downloaded, and 3 – additional module.
As per our analysis, the following specific set of technical challenges or anti-analysis tricks were seen to be used by the DanaBot banking trojan:
- The malware constructs strings by one character at a time
- Some Windows API functions are resolved at runtime
- When a malware-related file is read or written to the file system, it is done in the middle of a benign decoy file read or write
- Persistence is maintained by creating an LNK file that runs the core component in the user’s startup directory
The following figure shows the runtime windows API construction by the DanaBot DLL.
As described by Proofpoint research, DanaBot has a 356-byte structure of configuration information hardcoded. The following figure shows the configuration of the DanaBot sample.
The hard-coded configuration data includes affiliated ID, embedded hashes, version, and C2 IP address. As we are aware that DanaBot works as a Malware-as-a-Service, it is believed that one threat actor controls the global command and control server and sells access to others as affiliates.
As discussed earlier, the DanaBot has a module to switch its functionality to connect with TOR-based C2. The analyzed sample contains the following hard-coded onion link: 5jjsgjephjcua63go2o5donzw5x4hiwn6wh2denn(redacted)[.]onion
It has been observed that the malware tries to fetch computer information and network computer information, followed by sending it to C2 to propagate later. This is showcased in the debugger image below.
DanaBot uses binary protocol through port 443, and one of the C2 communication is shown below.
The command data structure is:
- AES-encrypted data
- Padding length (4 bytes)
- RSA-encrypted session key
- RSA signature (in responses)
The C2 response includes an RSA signature that is verified with an embedded RSA public key in a malware sample, as shown in the debugger dump below.
We have observed communication to the hard-coded C2 server IP, as shown in the Wireshark image below.
It is suspected that DanaBot might install additional components, as in the case of the previous variant, such as browser functionality with code injection, keylogging, video recording, and VNC/RDP.
As seen in the past, DanaBot was one of the most distributed banking malware in the threat landscape, targeting financial organizations across multiple countries. It was dormant for quite a few months in 2020, which may be due to COVID-19 campaigns targeting multiple regions. However, this is still unclear. With the recent emergence of the new variant, it appears that DanaBot may be trying to regain its foothold with enhanced techniques and infection vectors, such as spear phishing campaigns.
Indicators of Compromise (IOCs):
|c0eb802f394e758da4feb0d6c3b817bf1f64880ab9bc851937d5ef774161585d||SHA-256||DanaBot Installer affiliate ID 3|
|22.214.171.124||IP Address||C2 server IP|
|126.96.36.199||IP Address||C2 server IP|
|188.8.131.52||IP Address||C2 server IP|
|184.108.40.206||IP Address||C2 server IP|
|220.127.116.11||IP Address||C2 server IP|
|18.104.22.168||IP Address||C2 server IP|
|22.214.171.124||IP Address||C2 server IP|
|126.96.36.199||IP Address||C2 server IP|
|ceb0ad27aaf97a5a33664f49aa107ca421c3f0a6e0b9a3c37f93455a258f3c04||SHA-256||DanaBot downloaded from hxxp[:]//45.147.230[.]58/palata.exe|
- Ensure antivirus software and associated files are up to date
- Search for existing signs of the indicated IOCs in your environment
- Consider blocking or setting up detection for all URL and IP-based IOCs
- Keep applications and operating systems running at the current released patch level
- Exercise caution while opening attachments and links in emails
- Keep systems fully patched to effectively mitigate vulnerabilities
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.