DanaBot Banking Trojan

The DanaBot Banking Trojan was first observed in May 2018, DanaBot is a Delphi-based modular banking trojan. It was initially seen targeting Australian organisations, but has now begun appearing through Western Europe.

DanaBot includes a significant amount of junk code including extra instructions, conditional statements, and loops. When combined with the use of Delphi, these features dramatically impair reverse engineering. In addition, DanaBot uses Windows API function hashing and encrypted strings to prevent analysts and automated tools from easily determining the code’s purpose.

DanaBot is distributed using malicious RAR and ZIP files delivered via spam campaigns. The files contain a combination of VBS and PowerShell scripts, collectively referred to as Brushaloader, that acts as a dropper for the final payload.

Once installed on an affected device, DanaBot will install four modules:

• VNC – used to allow the attacker to connect to and control the device.
• Sniffer – performs script injection on banking sites visited by the user.
• Stealer – collects user credentials from browsers, chat and email clients, FTP and VPN applications and online poker applications.
• TOR – installs a Tor proxy for communication with a command and control server.

Newer versions will also include an RDP module to provide a second means of control if the VNC module is unable to connect.

Danabot follows in a long line of malware from one particular group. This family began with ransomware, to which stealer functionality was added in Reveton. The evolution continued with CryptXXX ransomware and now with a banking Trojan with Stealer and remote access functionality added in Danabot.

Further technical details can be found here

Indicators Of Compromise (URL’s And IP’s)

45[.]77[.]51[.]69
45[.]77[.]54[.]180
45[.]77[.]231[.]138
45[.]77[.]96[.]198
178[.]209[.]51[.]227
37[.]235[.]53[.]232
149[.]154[.]157[.]220
95[.]179[.]151[.]252
95[.]216[.]148[.]25
95[.]216[.]171[.]131
159[.]69[.]113[.]47
159[.]69[.]83[.]214
159[.]69[.]115[.]225
176[.]119[.]1[.]102
176[.]119[.]1[.]103
176[.]119[.]1[.]104
176[.]119[.]1[.]109
176[.]119[.]1[.]110
176[.]119[.]1[.]111
176[.]119[.]1[.]112
176[.]119[.]1[.]114
176[.]119[.]1[.]116
176[.]119[.]1[.]117
104[.]238[.]174[.]105
144[.]202[.]61[.]204
149[.]154[.]152[.]64
158[.]255[.]215[.]31

genesislouisville[.]com
genesisofdallas[.]com
genesisoflouisville[.]com
genesisofportland[.]com
kccmanufacturing[.]com
louisvillegenesis[.]com
louisvilleride[.]com
motionscent[.]com
oxmoorautomall[.]com
ridesharelouisville[.]com
tontheckcatan[.]ru/4/forum[.]php
onthethatsed[.]ru/4/forum[.]php
kitezona[.]ru/wp-content/plugins/redirection/modules/1
xn--hllo-bpa[.]com/guestlist/1
music-open[.]com/1
allnicolerichie[.]com/wp-content/plugins/ubh/1
mpressmedia[.]net/wp-content/plugins/ubh/1
bwc[.]ianbell[.]com/wp-content/plugins/ubh/1
kitezona[.]ru/wp-content/plugins/redirection/modules/2
xn--hllo-bpa[.]com/guestlist/2
music-open[.]com/2
allnicolerichie[.]com/wp-content/plugins/ubh/2
mpressmedia[.]net/wp-content/plugins/ubh/2
bwc[.]ianbell[.]com/wp-content/plugins/ubh/2
kitezona[.]ru/wp-content/plugins/redirection/modules/4
xn--hllo-bpa[.]com/guestlist/4
music-open[.]com/4
allnicolerichie[.]com/wp-content/plugins/ubh/4
mpressmedia[.]net/wp-content/plugins/ubh/4
bwc[.]ianbell[.]com/wp-content/plugins/ubh/4
tontheckcatan[.]ru/mlu/forum[.]php
onthethatsed[.]ru/mlu/forum[.]php
tontheckcatan[.]ru/d2/about[.]php
onthethatsed[.]ru/d2/about[.]php

SHA1

SHA256

Duncan

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.