Proofpoint researchers discovered an updated version of DanaBot in the wild. DanaBot is a banking/stealer malware first discovered by Proofpoint in May 2018. There have been at least three significant versions of the malware:
-
Version 1: DanaBot - A new banking Trojan surfaces Down Under
-
Version 2: DanaBot Gains Popularity and Targets US Organizations in Large Campaigns
-
Version 3: ESET’s DanaBot updated with new C&C communication
This will be the fourth major update.
From May 2018 to June 2020, DanaBot was a fixture in the crimeware threat landscape. Proofpoint researchers observed multiple threat actors with at least 12 affiliate IDs in version 2 and 38 IDs in version 3. These affiliate identifications (IDs) represent the threat actors the DanaBot operators serve. Distribution has typically targeted financial institutions predominantly located in the United States, Canada, Germany, United Kingdom, Australia, Italy, Poland, Mexico, and Ukraine. After June 2020, there was a sharp decline in DanaBot activity in Proofpoint’s data and in public threat intel repositories (e.g. MalwareBazaar and #DanaBot). It disappeared from the threat landscape without a clear cause.
Starting in late October 2020, we observed a significant update to DanaBot samples appearing in VirusTotal. At the time of publication, Proofpoint researchers spotted two affiliate IDs using this latest version with at least one distribution method. While it has not returned to its former scale, DanaBot is malware that defenders should put back on their radar.
Malware Analysis
The sample with a SHA-256 hash of c0eb802f394e758da4feb0d6c3b817bf1f64880ab9bc851937d5ef774161585d was used for this analysis.
Like previous versions of DanaBot, version 4 is a large, multithreaded, modular malware written in the Delphi programming language. A loader component (EXE) decrypts, decompresses, and executes a secondary component (DLL) seen in Figure 1:
Figure 1: Malware execution
The secondary component removes the loader and reruns itself using a specially crafted export name highlighted above in red in Figure 1. The export name is base64 decoded and the first three bytes are subtracted from each other (i.e., running_mode = byte_0 – byte_1 – byte_2). This value determines the running mode of the secondary component, with four options available:
Running Mode |
Description |
0 |
Main component |
1 |
TOR component |
2 |
Used for process injection of downloaded files |
3 |
Module component |
This analysis will mostly focus on mode 0, the main component.
Anti-Analysis
Besides being written in Delphi there are a few other anti-analysis features in the malware:
-
Some strings are constructed one character at a time (Figure 2)
-
Some Windows API functions are resolved at run-time
-
When a malware-related file is read or written to the filesystem, it is done in the middle of benign decoy file reads or writes
-
Persistence is maintained by creating an LNK file that executes the main component in the user’s Startup directory. This file is only written once a WM_QUERYENDSESSION Windows event is received when the user logs off
Figure 2: String obfuscation example, where strings are constructed one character at a time
Configuration
DanaBot’s configuration is hardcoded into a 356-byte structure (Figure 3):