DanBot Description

DanBot is the main threatening payload delivered in attacks by an Advanced Persistent Threat (APT) group called Lyceum. The same collective of hackers also is named hexane by the cybersecurity community. Lyceum's operations are focused on oil, gas, and telecommunications entities located in the Middle East strictly. The group attacks are characterized by a highly-complex structure involving several stages. DanBot is dropped in the second-stage by a dropper malware named DanDrop.

At its core, DanBot is a Remote Access Trojan that allows hackers to control the compromised computer in the post-infection phase of the attack. To contact the Command-and-Control (C2, C&C) infrastructure, DanBot uses both the DNS and HTTP protocols.

By analyzing the DNS traffic produced by the RAT, infosec researchers managed to discover that it exfiltrates certain system data about the compromised computer. The domain requests also contain registration information for the DanBot malware used for assigning a new bot ID for the threat to the specific victim.

The HTTP requests have also yielded some interesting finds. Apparently, the Trojan attempts authorization with a Base64-encoded password while also employing a user agent disguised as Firefox.