DanaBot evolves beyond banking Trojan with new spam‑sending capability validmarketio, chknetcc
ESET research shows that DanaBot operators have been expanding the malware’s scope and possibly cooperating with another criminal group
DanaBot appears to have outgrown the banking Trojan category. According to our research, its operators have recently been experimenting with cunning email-address-harvesting and spam-sending features, capable of misusing webmail accounts of existing victims for further malware distribution.
Besides the new features, we found indicators that DanaBot operators have been cooperating with the criminals behind GootKit, another advanced Trojan – behavior atypical of the otherwise independently operating groups.
The previously unreported features caught our attention when analyzing the webinjects used to target users of several Italian webmail services as part of DanaBot’s expansion in Europe in September 2018.
The malicious emails are sent as replies to actual emails found in the compromised mailboxes, making it seem as if the mailbox owners themselves are sending them. Further, malicious emails sent from accounts configured to send signed messages will have valid digital signatures.
Interestingly, it seems that attackers are particularly interested in email addresses containing the substring “pec”, which is found in Italy-specific “certified electronic mail” addresses. This may indicate that DanaBot authors are focused on targeting corporate and public administration emails that are the most likely to use this certification service.
The emails include ZIP attachments, pre-downloaded from the attacker’s server, containing a decoy PDF file and a malicious VBS file. Executing the VBS file leads to downloading further malware using a PowerShell command.
At the time of writing, the malicious features described above are still limited to targeting Italy; the targeted services are listed at the end of this blog post.
Having analyzed the malicious VBS file available on DanaBot’s C&C server, we found that it points to a downloader module for GootKit, an advanced and stealthy Trojan primarily used in banking fraud attacks. The malicious VBS file seems to be generated automatically, and is different on each access.
This is the first time we have seen indicators of DanaBot distributing other malware. Until now, DanaBot has been believed to be operated by a single, closed group. The behavior is also new for GootKit, which has been described as a privately held tool, not sold on underground forums, and also operated by a closed group. Interestingly, we’ve recently seen another instance of GootKit being distributed by other malware – namely by the notorious Emotet Trojan in its latest campaigns around Black Friday and Cyber Monday .
Apart from the presence of GootKit on servers used by DanaBot, we have found further links suggesting a cooperation between the operators of DanaBot and GootKit.
First, ESET’s telemetry was able to link GootKit activity to a C&C server subnet and top-level domain (TLD) also used by DanaBot. DanaBot uses many IP addresses in the 126.96.36.199/24 subnet for C&C and redirects (see IoCs). While DanaBot domain names change every few days, .co is their most common TLD (for example egnacios[.]co, kimshome[.]co, etc.). The GootKit samples downloaded by the malicious payload on DanaBot’s C&C had funetax[.]co and reltinks[.]co as their C&Cs. Both resolved to 188.8.131.52 for some time.
Second, both DanaBot and GootKit domains usually share the same domain registrar for their .co domains, namely Todaynic.com, Inc, and mostly share the same name server, dnspod.com.
Finally, in the week starting Oct 29, 2018, ESET’s telemetry showed a significant decrease in the distribution of DanaBot in Poland; in the same week, there was a spike of activity of GootKit in Poland. During the spike, GootKit was spread using the same distribution method as DanaBot in its recent Polish campaigns.
While analyzing DanaBot, we also noticed that part of DanaBot’s configuration has a structure we have previously seen in other malware families, for example Tinba or Zeus. This allows its developers to use similar webinject scripts or even reuse third-party scripts.
Interestingly, some scripts are almost exactly the same as the scripts we have seen used by the BackSwap trojan , including naming conventions and the location of the script on a server.
Our research shows that DanaBot has a much broader scope than a typical banking Trojan, with its operators regularly adding new features, testing new distribution vectors, and possibly cooperating with other cybercriminal gangs.
ESET systems detect and block both DanaBot and GootKit.
Hashes and ESET detection names of DanaBot components and plug-ins can be found in our previous blogpost on DanaBot. Domains, IP addresses and hashes connected with the Italy-targeted campaign described in this blogpost can be found in the IoCs section.
This research was carried out by Kaspars Osis, Tomáš Procházka and Michal Kolář.
And another great article!