code

New Year, New Version of DanaBot

Proofpoint researchers discovered an updated version of DanaBot in the wild. DanaBot is a banking/stealer malware first discovered by Proofpoint in May 2018. There have been at least three significant versions of the malware: 

This will be the fourth major update. 

From May 2018 to June 2020, DanaBot was a fixture in the crimeware threat landscape. Proofpoint researchers observed multiple threat actors with at least 12 affiliate IDs in version 2 and 38 IDs in version 3. These affiliate identifications (IDs) represent the threat actors the DanaBot operators serve. Distribution has typically targeted financial institutions predominantly located in the United States, Canada, Germany, United Kingdom, Australia, Italy, Poland, Mexico, and Ukraine. After June 2020, there was a sharp decline in DanaBot activity in Proofpoint’s data and in public threat intel repositories (e.g. MalwareBazaar and #DanaBot). It disappeared from the threat landscape without a clear cause. 

Starting in late October 2020, we observed a significant update to DanaBot samples appearing in  VirusTotal. At the time of publication, Proofpoint researchers spotted two affiliate IDs using this latest version with at least one distribution method. While it has not returned to its former scale, DanaBot is  malware that defenders should put back on their radar. 

Malware Analysis 

The sample with a SHA-256 hash of c0eb802f394e758da4feb0d6c3b817bf1f64880ab9bc851937d5ef774161585d was used for this analysis. 

Like previous versions of DanaBot, version 4 is a large, multithreaded, modular malware written in the Delphi programming language. A loader component (EXE) decrypts, decompresses, and executes a secondary component (DLL) seen in Figure 1: 

 

Figure 1: Malware execution 

The secondary component removes the loader and reruns itself using a specially crafted export name highlighted above in red in Figure 1. The export name is base64 decoded and the first three bytes are subtracted from each other (i.e., running_mode = byte_0 – byte_1 – byte_2). This value determines the running mode of the secondary component, with four options available: 

Running Mode 

Description 

Main component 

TOR component 

Used for process injection of downloaded files 

Module component 

This analysis will mostly focus on mode 0, the main component. 

Anti-Analysis 

Besides being written in Delphi there are a few other anti-analysis features in the malware: 

  • Some strings are constructed one character at a time  (Figure 2) 

  • Some Windows API functions are resolved at run-time 

  • When a malware-related file is read or written to the filesystem, it is done in the middle of benign decoy file reads or writes 

  • Persistence is maintained by creating an LNK file that executes the main component in the user’s Startup directory. This file is only written once a WM_QUERYENDSESSION Windows event is received when the user logs off 

 

Figure 2: String obfuscation example, where strings are constructed one character at a time 

Configuration 

DanaBot’s configuration is hardcoded into a 356-byte structure (Figure 3): 

 

Figure 3: Configuration structure of DanaBot 

 Key configuration items are highlighted in red in Figure 3 and include the following: 

Affiliate ID 

As previously reported in DanaBot control panel revealed, we believe DanaBot is set up as a “malware as a service” in which one threat actor controls a global command and control (C&C) panel and infrastructure then sells access to other threat actors known as affiliates.  

This field likely represents the ID of the affiliate associated with the sample. At the time of publication, only two IDs were found: 3 and 21. It is currently unclear whether version 4 affiliate IDs will overlap with previous version affiliate IDs, though they did change between versions 2 and 3. 

Embedded Hash 

It is currently unclear what the following embedded hash values represent: 

  • E1D3580C52F82AF2B3596E20FB85D9F4 

  • DE420A65BFC5F29167A85A5199065A0E 

  • E0ECDBB46B59DFAB6F7CB1136E7496F5 

  • 429B39BF421C0F74463EF2A17209ADAA 

  • 6266E79288DFE2AE2C2DB47563C7F93A 

  • DE6DF8FA2198DD77CFD93D89D8ECC62D 

Version 

This field below likely represents a version number that increments in newer samples:  

  • 1650 

  • 1701 

  • 1705 

  • 1732 

  • 1755 

C&C IP Addresses and Ports 

The IP addresses are hardcoded as DWORD values and are set to the following in the analyzed sample: 

  • 23[.]226.132.92