Danabot

Danabot is a banking trojan that was spotted in the wild in 2018. Danabot differs from competing Trojans thanks to its robust delivery system and modular design. Since its first appearance, Danabot has obtained high popularity among cybercriminals and became an active threat in multiple regions of the world.

  • Type
    Trojan
  • Origin
    Unknown
  • First seen
    6 May, 2018
  • Last seen
    21 November, 2019
Global rank
23
Week rank
19
Month rank
21
IOCs
1276

What is Danabot malware?

Danabot is a banking trojan that was spotted in the wild in 2018. Danabot differs from competing Trojans thanks to its robust delivery system and modular design. Since its first appearance, Danabot has obtained high popularity among cybercriminals and became an active threat in multiple regions of the world.

This malware is being constantly updated by the creators, helping the Trojan to continue to gain popularity in the hacking community. Danabot is written using the Delphi programming language carries several credential theft functions.

General description of Danabot

When first documented, Danabot was being used by just one actor who carried out a campaign against Australian companies. Since then, other malicious actors have started utilizing this malware and expanded the geography of attacks to Europe and North America.

In particular, Danabot was seen in attacks in Poland, Germany, Italy, Austria, and the US. Particularly the US campaigns were carried out on a large scale which indicates that the malware is evolving and developing.

As far as the function set of this malware is concerned, Danabot can be classified as a banking trojan, though, some of its features are suggesting that it is becoming a more versatile malware. Danabot is constructed out of three main components. The loader is a program created to download the main payload. The main component which is installed by the loader is configured to download the modules that can be specified by the attacker. Finally, the modules once installed provide the functionality, which can vary depending on which modules were chosen by the ill-wisher in a particular campaign.

The malware is able to take screenshots, grant attackers remote control of the victims’ machine, collect system information, steal credentials and record lists of files stored on infected PCs. Once collected, all information recorded by Danabot is sent to the control server in an encrypted form. The aim of Danabot is to steal sensitive information that can be leveraged by the attackers later, therefore instead of confirming the victim head on and demanding a ransom, this malware tries to stay hidden and collect valuable data over time. Some of the smaller distribution campaigns featuring Danabot were well made in terms of clever social engineerings and carried on with the same philosophy of a more subtle approach.

In addition, researchers noticed that the attackers utilizing Danabot ventured beyond banking credentials theft and started utilizing this malware to host other spam and malicious campaigns, using the infected machines of their victims. What’s more, Danabot creators are thought to be collaborating with the group behind a different banking trojan – GootKit. Danabot was recorded being used to distribute GootKit. This case being a first for both malicious programs since neither has been seen distributing or being distributed by other malware before.

In January 2019 researchers noticed a new version of Danabot in the wild. The investigation confirmed the new samples to be the evolution of Danabot, with a different C2 communication protocol which began to use multiple encryption layers and proved very complex. In the new variant, AES and RSA encryption algorithms were employed in particular. On top of that, the core design of the malware was also changed, as the loader was made responsible for downloading all the modules along with the main component. A technique, that the researchers believe was used to avoid detection on a network level which the attackers could have invented after reading existing analysis material on Danabot.

It should be noted that Danabot features several evasion techniques designed to make research as complicated as possible. For one, the malware is loaded with many lines of junk code, implemented solely to mislead the researchers. The malware also uses encryption and Windows API function hashing to fool automated sandboxes and researchers and prevent them from uncovering the true nature of the code.

Malware analysis of Danabot

A video recorded in the ANY.RUN malware hunting service enables us to take a look at Danabot in action.

danabot execution process graph

Figure 1: A process graph generated by ANY.RUN for the convenience of the researchers

text report of the danabot malware execution

Figure 2: The text report generated by ANY.RUN is created to allow easy sharing of the study results

Danabot execution process

Typically Danabot infects devices according to the following scenario. First of all the downloader establishes a connection with the C2 server and downloads an executable file with a DLL file, which can be either 32-bit or 64-bit based on the infected OS version.

After that Danabot begins stealing information from the infected OS. To ensure that the next steps are successful and provide the privilege escalation, the malware bypasses user access control by using a DLL hijacking vulnerability in the Windows Update Standalone Installer (wusa.exe). This allows Danabot to create services and execute the injection into system processes. After all of these steps, Danabot receives full system control.

How to avoid infection by Danabot?

Danabot is distributed in email spam campaigns which target organization and use social engineering to trick victims into downloading malicious documents.

Danabot is also known to get into PCs with another malware called Hancitor. Email campaigns featuring Danabot were considered well crafted by some researchers, who noted that social engineering involved seemed very effective.

Communication with C&C

In older samples of Danabot, the loader component used HTTP protocol to communicate with the control server, whereas the main component utilized the binary protocol. In more recent iterations, both components started to communicate with C2 server over TCP port 443 using TLS instead.

How to detect Danabot using ANY.RUN?

ANY.RUN uses Suricata IDS rule sets so if malware trying to communicate with C&C servers it will be detected. To look at what threats were detected just click on the "Threats" section of the "Network" tab.

danabot network threats Figure 3: Danabot's network threats

Conclusion

Danabot is a very sophisticated malicious program used as a banking trojan and more. Targeting organizations across multiple continents, Danabot poses a high threat to businesses thanks to robust distribution methods and cutting edge anti-evasion and persistence techniques.

In addition, the module nature of this malware allows attackers to fine-tune their campaigns, customizing them for every potential victim. All these traits combined helped to make Danabot a very popular banking trojan which is only continuing to gain traction in the criminal community and further expand the geography of attacks.

To establish a reliable cyber defense, security professionals are able to utilize malware hunting and analysis services such as ANY.RUN, which allow to dissect malware samples and thoroughly study their behavior and architecture.

IOCs

IP addresses
193.103.171.195
150.82.21.153
151.236.14.84
142.181.133.99
95.179.168.37
219.30.45.197
193.144.40.26
73.48.92.89
117.69.242.3
74.12.197.16
85.229.148.210
16.63.149.88
50.76.26.115
121.55.223.73
193.37.212.178
103.141.88.118
179.1.170.93
145.167.22.245
162.252.172.124
109.248.250.132
Hashes
d02546434f12eb5a194049e67eb2383402388820aa97dad57c213d90756fb2a1
Domains
majul.com
thuocnam.tk
m-onetrading-jp.com
krupskaya.com
isns.net
elx01.knas.systems
qxq.ddns.net

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a remote access trojan available as MaaS ( Malware-As-A-Service ). Adwind can collect user and system data, control the webcam of the infected machine, capture screenshots, install and run other malicious programs, log keystrokes, steal web browser passwords and more.
Read More
AgentTesla screenshot
AgentTesla
agenttesla trojan rat stealer
Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult is an information stealer malware that is targeted at stealing credentials and accounts. Updated multiple times over the years, AZORult continues to be an active concern for the users, stealing information such as banking passwords, credit card details, browser histories, and even cryptocurrency.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is one of the most technologically advanced banking trojans currently active. The primary target of this malware is stealing banking credentials from its victims. Dridex has been around since 2014 and has benefited from very consistent updates that helped the malware evolve and become more and more capable.
Read More
Emotet screenshot
Emotet
emotet trojan loader banker
Emotet is an extremely sophisticated and destructive banking Trojan used to download and install other malware. First recorded in 2014, Emotet has gained advanced capabilities over the course of its lifetime. Today Emotet is targeting governments, corporations, small businesses and individuals, focusing on Europe, America, and Canada.
Read More
FlawedAmmyy screenshot
FlawedAmmyy
flawedammyy trojan rat
FlawedAmmyy is a Remote Access Trojan – a malware that is utilized by attackers to take full control over the target machine. It is based on the source code of a completely legitimate program Ammyy Admin. Despite this RAT being recorded as a new malware in 2018, some researchers suggest that it has been in use since 2016.
Read More