DanaBot
DanaBot is a Banking Trojan that was detected by malware researchers in May 2018. The DanaBot Trojan was used to compromise users in Australia primarily and has a modular structure that enables it to do much more than simply grabbing credentials from infected systems. The malware payload is delivered through a JavaScript downloader that is installed through macro-enabled documents, which you might receive as spam. Threat actors are using phishing emails to disseminate specially crafted Microsoft Word files that include an embedded PowerShell command and install the aforementioned JavaScript downloader. Researchers have seen samples connect to hxxp://bbc[.]lumpens[.]org/tXBDQjBLvs.php that drop the downloader for the DanaBot Trojan.
In its latest iterations, DanaBot is also able to capture screenshots and record video from the victim's screen and provide remote control over the victim's system through RDP. Currently used infection vectors usually involve a malicious e-mail that contains a link to the dropper. In a recent campaign the link in question forwarded to a file on Google Docs. The malicious file is really a VBS script that performs the functions of a dropper. It unpacks the downloader DLL into the system's temporary directory, then registers the DLL as a system service. In the 2019 versions of DanaBot, the downloader frontloads some of the features of the main malware - it can circumvent Windows user account control, communicate with the malware's C&C servers and download separate malware plugins and updates.
In early 2019, DanaBot introduced a new method of communicating with its C&C servers that included AES256 encryption, using keys for each communication packet.
A little later, in April 2019, DanaBot started carrying the NonRansomware ransomware. One of the DanaBot C&C servers started distributing a certain module written using Delphi and named simply "crypt." Research shows that the module in question turned out to be a version of the NonRansomware ransomware. This particular strain appends the .non extension to encrypted files and affects the entire hard drive, barring the Windows directory.
The main body of the DanaBot consists of a single DLL that is designed to connect to remote 'Command and Control' (C2) servers and download the latest versions of its side components. The DanaBot Trojan is known to support three modules that are saved to the disk as VNCDLL.dll, ProxyDLL.dll and StealerDLL.dll. The DanaBot malware installs a network sniffer (ProxyDLL.dll), an InfoStealer (StealerDLL.dll) for user credentials and a VNC (VNCDLL.dll) (short for Virtual Network Computing) client for remote desktop activities. The cyber-threat might be used to collect digital coins from cryptocurrency wallets, hijack online accounts, record your credentials for online banking portals, and identify potential targets on the same computer network.
- Stealer module (StealerDLL.dll) capabilities:
It can extract credentials in Mozilla Firefox, Google Chrome and Opera.
It can export credentials from FTP clients like FileZilla, SmartFTP, FlashFXP, WinSock FTP. - The digital coin stealer is known to extract currencies from:
Ethereum, Electron, Zcach, Bitcoin, Sumocoin, Iota, Expanse, Ark, Pascalcoin and Decent.
Also, DanaBot can perform Web injects into otherwise safe online banking pages and trick users into typing their credentials in fake access panels. The DanaBot Trojan exchanges information with its C2 servers via raw TCP traffic over port 443 and may communicate with the following IP addresses:
5.188.231[.]229
104.238.174[.]105
144.202.61[.]204
207.148.86[.]218
PC users might not detect the presence of DanaBot unless they are tracking their finances via the Web regularly and notice the missing funds. The malware at hand is known to use the TOR protocol to obfuscate transmitted data and prevent researchers from finding the threat actors. It is recommended to avoid spam messages even if they may appear legitimate. Ask for confirmation when you think you have received an email from a colleague or a friend. It is best to remove the DanaBot Trojan using a trusted anti-malware solution. The detection names associated with DanaBot include:
TROJ_BANLOAD.THFOAAH
Trojan-Downloader ( 005318d71 )
Trojan-Downloader ( 00532fa91 )
Trojan-Dropper.Win32.Danabot
Trojan.Downloader.Banload
Trojan.Generic.22925578
Trojan.GenericKD.30907310
Trojan.Tiggre
Trojan.Win32.Z.Delf.261632.F
Trojan/Win32.Agent.C2493942
W32/Banload.ABCAQ!tr.dldr
Ransom notes appear in every directory containing scrambled files and are all called "HowToBackFiles.txt". The text of the ransom note is as follows:
Attention !!!
All your files on this server have been encrypted.
Write this ID in the title of your message
To restore the files need to write to us on e-mail: xihuanya at protonmail dot com
The price of restoration depends on how quickly you write tous.
After payment we will send you a decryption tool that will decrypt all your files.
You can send us up to 3 files for free decryption.
- files should not contain important information
- and their total size should be less than 1 MB
IMPORTANT !!!
Do not rename encrypted files
Do not try to decrypt your data with third-party software, this can lead to permanent data loss!
Your ID:
The ransomware module deploys a batch file that modifies a number of registry values, kills a large number of system services, kills a few processes and disables the PowerShell execution policy, allowing the execution of malicious scripts. The module also disables system restore for drive letters from C: to H: and deletes all shadow copies.
Thankfully, security researchers with Checkpoint managed to find a very detailed description of the encryption procedure this particular version of the NonRansomware ransomware uses in its source code and used that to put together a decryption tool for it.
