Researchers are warning that a new fourth version of the DanaBot banking trojan has surfacing. The latest variety, still under analysis by researchers, is raising concerns given the number of past DanaBot effective campaigns.
DanaBot is a banking trojan that first targeted users in Australia via emails containing malicious URLs. Criminals then developed a second variant and targeted US companies – part of a series of large-scale campaigns. A third variant surfaced with significantly enhanced with remote command-and-control functionality,
The fourth version is unique, it’s unclear from the researcher’s recent report what specific new capabilities, if any, the malware has today.
Compared to previous campaigns, the recent variant comes packed mostly with the same deadly arsenal of tools that have come before. Main features include a ToR component to anonymize communications between the bad-guys and an infected hardware.
DanaBot is set up as a ‘malware as a service’ in which one threat actor controls a global command and control (C&C) panel and infrastructure then sells access to other threat actors known as affiliates.
DanaBot’s multi-stage infection chain starts with a dropper that triggers a cascading evolution of hacks. These include stealing network requests, siphoning off application and service credentials, data exfiltration of sensitive information, ransomware infection, desktop screenshot spying and the dropping of a cryptominer to turn targeted PCs into cryptocurrency worker bees.
DanaBot distribution methods to various software warez and cracks websites that supposedly offer software keys and cracks for a free download, including anti-virus programs, VPNs, graphics editors, document editors, and games. Creating a LNK file in windows desktop and various places.
It is unclear whether COVID-19, competition from other banking malware, redevelopment time, or something else caused the dip, but it looks like DanaBot is back and trying to regain its foothold in the threat landscape,” concluded researchers.