Name Danabot Type of Malware Banking Trojan Location – Country of Origin Russia. First seen in Australia Date of initial activity 2018 Motivation Stolen banking information, passwords, identity theft, victim’s computer added to a botnet. Attack Vectors Infected email attachments, malicious online advertisements, social engineering, software cracks. Targeted System Windows

Overview

Danabot is a modular banking Trojan written in Delphi that targets the Windows platform. The malware, which was first observed in 2018, is distributed via malicious spam emails. From May 2018 to June 2020, DanaBot was a fixture in the crimeware threat landscape. Proofpoint researchers observed multiple threat actors with at least 12 affiliate IDs in version 2 and 38 IDs in version 3. These affiliate identifications (IDs) represent the threat actors the DanaBot operators serve. After June 2020, there was a sharp decline in DanaBot activity in Proofpoint’s data and in public threat intel repositories (e.g. MalwareBazaar and #DanaBot). It disappeared from the threat landscape without a clear cause.

Targets

Financial institutions predominantly located in the United States, Canada, Germany, United Kingdom, Australia, Italy, Poland, Mexico, and Ukraine.

Tools/ Techniques Used

Once a device is infected, the malware downloads updated configuration code and other modules from the C&C server. Available modules include a “sniffer” to intercept credentials, a “stealer” to steal passwords from popular applications, a “VNC” module for remote control, and more.

Impact / Significant Attacks

Large Software Supply Chain Attack (October 22, 2021).

Second Large Software Supply Chain Attack (November 4, 2021).

DDoS Attack on Russian Language Electronics Forum (October 2021)

Indicators of Compromise (IoCs)

hxxps://citationsherbe\.at/sdd.dll

2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd

77ff83cc49d6c1b71c474a17eeaefad0f0a71df0a938190bf9a9a7e22531c292

185.158.250.216:443

194.76.225.46:443

45.11.180.153:443

194.76.225.61:443

bjij7tqwaipwbeig5ubq4xjb6fy7s3lknhkjojo4vdngmqm6namdczad\.onion

hxxps://pastorcryptograph\.at/3/sdd.dll

26451f7f6fe297adf6738295b1dcc70f7678434ef21d8b6aad5ec00beb8a72cf

e7c9951f26973c3915ffadced059e629390c2bb55b247e2a1a95effbd7d29204

185.117.90.36:443

193.42.36.59:443

193.56.146.53:443

185.106.123.228:443

f4d12a885f3f53e63ac1a34cc563db0efb6d2d1d570317f7c63f0e6b5bf260b2

ad0ccba36cef1de383182f866478abcd8b91f8e060d03e170987431974dc861e

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

gcwr4vcf72vpcrgevcziwb7axooa3n47l57dsiwxvzvcdlt7exsvk5yd.onion

References

1. New Year, New Version of DanaBot

2. What is DanaBot?

3. Spike in DanaBot Malware Activity

The post Danabot ( Banking Trojan ) – Malware first appeared on CyberMaterial.