Danabot Trojan Evades IDS/IPS Detection

What Is It?

As previously discussed in a threat report in October 2018, the Danabot trojan has been under active development since it was first observed in May 2018.

This development has continued as researchers at ESET noted a new version in December 2018 that added email address harvesting and spam sending functions.

The most recent version, discussed in a new ESET blog post, shows that the authors have implemented an entirely new communication protocol for traffic between the malware and its C2 (command and control) host. Previously the C2 traffic was unencrypted. In the new version, several layers of encryption have been implemented. Encrypting the traffic means that existing network signatures, such as those used by traditional intrusion detection systems (IDS) and intrusion protection systems (IPS), won’t work. This is further complicated as creating new signatures will be significantly more difficult and increasingly prone to false positives.

Encrypting the C2 traffic also means that any packet captures created by automated malware analysis sandboxes will be unable to be read by security analysts attempting to determine the capabilities of this malware. Therefore, manual reverse engineering, which utilizes significantly more skilled and experienced analysts, will now be required. The authors have also streamlined the architecture, which now consists of only two parts: the loader which then downloads, configures and executes the main payload, plugins for various functions and the configuration files.

The Danabot malware uses numeric campaign IDs to ensure that the relevant configuration files and instructions of which fields to inject into specific website pages are used. Current campaign IDs observed by ESET researchers include those targeting users in both Italy and Poland, Australia and one specific to Poland.

The C2 traffic encryption in this new Danabot version is an effort by the authors to evade detection by another legacy, signature-based technology, the IDS/IPS. While the BluVector solution includes IDS/IPS functionality, it also contains multiple detection engines, including BluVector’s patented Machine Learning Engine (MLE).

How Does It Propagate?

The malware does not contain the necessary code to self-propagate over a network as a worm would. However, it can potentially spread via malicious spam sent from infected systems. Currently this updated Danabot version is being distributed by malicious spam and by the malware’s own update functionality.

When/How Did BluVector Detect It?

The ESET report contains four publicly available samples and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected an average of 49 months prior to their release.

All Threat Reports