DanaBot

After being discovered in May 2018 as part of Australia-targeted spam campaigns... appearing in malspam campaigns in Poland, Italy, Germany, Austria and Ukraine, as well as in the United States... At the time of writing, the new version is being distributed under two scenarios: As “updates” delivered to existing DanaBot victims Via malspam in Poland

To compromise their victims, the attackers behind the Poland-targeted campaign use emails posing as invoices from various companies.

These sites impersonate AI tools or platforms. Recently registered and mimicking the branding of the targeted companies, these websites are empty shells whose sole purpose is to deliver payloads via ErrTraffic.

Operate on infected devices (e.g., search for files, download files, execute commands, take a screenshot, and open a VNC session) (Figure 6)

PowerShell command lines for downloading the malicious payload.

The campaign makes use of a combination of PowerShell and VBS scripts widely known as Brushaloader.

The latest version shifts both these responsibilities to a new loader component, which is used to download all plugins along with the main module. Persistence is achieved by registering the loader component as a service.

Persistence is maintained by creating an LNK file that executes the main component in the user’s Startup directory.

The latest version shifts both these responsibilities to a new loader component, which is used to download all plugins along with the main module. Persistence is achieved by registering the loader component as a service.

Persistence is maintained by creating an LNK file that executes the main component in the user’s Startup directory.

DanaBot includes a significant amount of junk code... DanaBot uses Windows API function hashing and encrypted strings to prevent analysts and automated tools from easily determining the code’s purpose.

The malicious domain chatgpt-web[.]vip mimics the official ChatGPT landing page

The software and websites targeted in these new campaigns are listed at the end of this article.

Configure various aspects of the malware (e.g., video recording of the screen, keylogging, and webinjects) (Figure 4)

Sniffer plug-in – injects malicious scripts into a victim’s browser, usually while visiting internet banking sites

Files typically seen sent Filename Comments Cookies.txt Stored web browser cookies

Stealer plug-in – harvests passwords from a wide variety of applications (browsers, FTP clients, VPN clients, chat and email programs, poker programs etc.)

0x130 - Upload collected information to C&C server (e.g., screenshot of a victim’s computer; system information) ... 0x132 - Ask C&C server for further commands; there are around 30 available commands typical of backdoors, including launching plugins, gathering detailed system information

0x131 - Upload collected information to C&C server (e.g., list of files on the victim’s hard disk)

The software and websites targeted in these new campaigns are listed at the end of this article.

Finally, in the beginning of September 2018, an RDP plug-in was added to DanaBot. It is based on the open-source project RDPWrap that provides Remote Desktop Protocol connections to Windows machines that normally do not support it.

VNC plug-in – establishes a connection to a victim’s computer and remotely controls it

Targeted cryptocurrency wallets *\wallet.dat* *\default_wallet*

Configure various aspects of the malware (e.g., video recording of the screen, keylogging, and webinjects) (Figure 4)

Sniffer plug-in – injects malicious scripts into a victim’s browser, usually while visiting internet banking sites

0x130 - Upload collected information to C&C server (e.g., screenshot of a victim’s computer; system information)

Configure various aspects of the malware (e.g., video recording of the screen, keylogging, and webinjects) (Figure 4)

Table 2: Configuration files typically seen... PosWtFilter ... List of websites for which to steal requests ... InjectZZ, InjectSW Webinjects ... Zeus-style injects

Data can be ZLIB-compressed and AES-256-CBC-encrypted... The decrypted data is optionally ZLIB compressed...

The fast-evolving, modular Trojan DanaBot has undergone further changes, with the latest version featuring an entirely new communication protocol... The protocol, introduced to DanaBot at the end of January 2019, adds several layers of encryption to DanaBot’s C&C communication.

Table 1: List of modules typically seen... FF1 Sniffer Proxy ... FF5 TOR TOR proxy

TOR plug-in – installs a TOR proxy and enables access to .onion web sites

According to our analysis, the loader component uses the following commands: 0x12D - Download 32/64-bit launcher component 0x12E - Request list of plugins and configuration files 0x12F - Download plugin/configuration files

VNC plug-in – establishes a connection to a victim’s computer and remotely controls it

In August 2018, the attackers started using the TOR plug-in for updating the C&C server list from y7zmcwurl6nphcve.onion.

Following the latest changes, DanaBot uses the AES and RSA encryption algorithms in its C&C communication. The new communication protocol is complicated, with several encryption layers being used... without access to the corresponding RSA keys, it is impossible to decode sent or received packets.

0x130 - Upload collected information to C&C server (e.g., screenshot of a victim’s computer; system information) 0x131 - Upload collected information to C&C server (e.g., list of files on the victim’s hard disk)