The fourth version of DanaBot, a banking malware that was discovered in 2018, has resurfaced after a hiatus of seven months. The Trojan has several anti-analysis attributes and it is written in Delphi.
The Trojan commenced its journey of malice by targeting Australian users via malicious URLs. Later, in a large-scale campaign, the second version took to targeting U.S. companies. The third version that was discovered in 2019 even had remote c2 capabilities. This variant propagated via malspam in Poland or as updates to existing victims.
Researchers identified two affiliate IDs using this version of the current variant. However, there are no reports regarding the new capabilities of this strain.
Prominent Attributed
- Danabot focuses on gaining persistence and stealing data that can be monetized later, instead of demanding an immediate ransom from victims.
- In email-based threats, the social engineering tactic they use emphasizes quality over quantity.
- The trojan can download extra elements, since it is of modular nature, thus increasing flexibility and remote monitoring functionality. It can also switch to Tor-based command and control (C&C).
More on Danabot
It is assumed that Danabot is set up as a Malware-as-a-service. To deliver the latest version of the Trojan, websites advertising pirated software are being used. Users in the U.S., the U.K, Australia, Germany, Canada, Ukraine, Poland, Mexico, and Italy have been targeted since October 2020.
For almost two years, the previous versions of Danabot were actively used in criminal activities. Even though it’s not yet back to the same level of activity as before researchers suspect that the threat actors are attempting to regain a foothold. It is anticipated that the malware will be propagated on a large-scale via phishing campaigns,
To read more, please check eScan Blog
