What Is It?
The Danabot banking trojan was first seen by researchers in May 2018, targeting customers of Australian financial institutions. Since that time, other campaigns have been aimed at European banking customers in Poland, Italy, Germany, Austria and Ukraine. A recent report by the researchers at Proofpoint describes a campaign directed at customers of U.S. banks.
Over the course of these campaigns, the Danabot malware, written in Delphi, has been actively developed by its authors. The attack chain for the U.S. attacks is very similar to that seen in other geographies. The attack begins with spam emails, purporting to contain a link to a new eFax message. That link actually downloads a document containing a malicious macro, which if the user allows it to execute, will download and run a variant of Hancitor malware, which then downloads the Danabot malware.
Danabot malware consists of three parts: the loader (which downloads and runs the main payload), the main payload (which is responsible for downloading and configuring the modules) and the modules (which contain various malicious functions). The malware uses several anti-analysis techniques including the use of junk code and encrypted strings in order to slow down reverse engineering and make detection by automated tools less reliable. It communicates with its command and control (C2) sites over TCP port 443. Observed C2 traffic indicates this variant is version 2.003 of Danabot.
The modules seen by the researchers consist of a proxy, the main credential stealer (both 32-bit and 64-bit versions), Remote Desktop Protocol and VNC modules for accessing the infected systems’ desktop and a TOR proxy, which allows access to dark web sites. Various configuration files are also downloaded, including files that define which system processes should be monitored for credential stealing and web page injection, as well as which cryptocurrency wallets to steal.
How Does It Propagate?
The malware does not contain the necessary code to self-propagate. The attack vector in this campaign is a spam email containing a link to a document embedded with a malicious macro. If executed, the macro downloads the Hancitor malware, which downloads the Danabot malware.
When/How Did BluVector Detect It?
The report lists samples covering the entire attack chain, a document containing a malicious macro, Hancitor malware and several Danabot samples. BluVector’s patented Machine Learning Engine (MLE) detected all five. Regression testing has shown these samples would have been detected an average of 47 months prior to their release.