danabot

New Version Danabot

Introduction

Proofpoint researchers have identified an updated version of DanaBot. DanaBot is a banking / stealer first discovered by Proofpoint in May 2018. There have been at least three significant versions of this malware identified in the past, and this is the fourth update.

From May 2018 to June 2020, DanaBot has been a fixture in the cyber threat landscape. Proofpoint researchers observed multiple threat actors with at least 12 affiliated identifications (IDs) in version 2 and 38 IDs in version 3. These IDs represent the cyber criminals served by DanaBot operators. The distribution typically targeted financial institutions located predominantly in the United States, Canada, Germany, United Kingdom, Australia, Italy, Poland, Mexico and Ukraine. After June 2020, there was a sharp decline in DanaBot activity in Proofpoint’s data and public threat intelligence repositories (e.g. MalwareBazaar and #DanaBot ). It disappeared from the threat landscape without a clear reason.

As of late October 2020, Proofpoint detected a significant update of the DanaBot specimens that appeared in VirusTotal . At the time of publication, Proofpoint researchers have identified two affiliate IDs using this latest version with at least one distribution method. While it hasn’t reverted to its previous scale, DanaBot is that should be monitored.

clip_image002

For nearly two years, DanaBot has been one of the leading banking used in the crimeware landscape. Several criminals distributed it and used it to target financial institutions. In mid-2020, DanaBot’s activity declined and some affiliates continued their campaigns using other banking malware (e.g. Ursnif and Zloader). It is unclear whether COVID-19, competition from other specimens, development time or otherwise caused it to drop, but it appears that DanaBot is back and is trying to regain its place in the cyber threat landscape. Proofpoint believes that the number of DanaBot affiliates will grow and this malware will be distributed once again via campaigns in the coming months.

clip_image003

Sherrod DeGrippo, Proofpoint Senior Director of Threat Research and Detection, points out, “The return of Danabot is an interesting development and I strongly encourage security practitioners to monitor it. We expect DanaBot affiliates to increase and consequently also the campaigns that will distribute it again in the coming months. The reference to cryptocurrencies could signal that the perpetrators of the threat are preparing for future campaigns aimed at stealing wallets or logins for the most popular cryptocurrency sites, with an approach very similar to when they target traditional banking credentials. It is important that users avoid downloading free software of dubious origin, as those files could hide a host of malware, including DanaBot banking Trojans,

IOCs

23.106.123.249
108.62.141.152
104.144.64.163
149.129.212.179
47.254.247.133
159.89.114.62
138.197.139.56

5jjsgjephjcua63go2o5donzw5x4hiwn6wh2dennmyq65pbhk6qflzyd.onion

83a67ecd166b919255b264718993c284a3238971a24c939c45e0c525f3361a43
c0eb802f394e758da4feb0d6c3b817bf1f64880ab9bc851937d5ef774161585d
ab3c72aaacbe2c99646bf4d91e177585631b164f8cd9e9e5eb7a180ce7d945d5
ceb0ad27aaf97a5a33664f49aa107ca421c3f0a6e0b9a3c37f93455a258f3c04
93ff8577a13146091e40349fa523a6f54bd5fa2a
7c156e5701b0cf7eaf3a38cc1f5f68992bfe62f8
8bdbe04c5332be855c8382507a3828078abb6afb
df298e61033c196fc764592c734329794f9675b8
3a4299537272d8671d85c99c17918e99
c55a1a3a135dcc3a771ea4648862a202
22f334ca00540a62d0a5f6b8bcfbbfc7
7b02386e18251283e5d3b17ef3956133