DanaBot- An info-stealer

The DanaBot in an infamous Trojan threat, that is active since May 2018. And till now it has managed to target users worldwide. Initially, it targeted the Australia, soon it expanded its malicious campaigns to Europe, Australia, New Zealand, USA and Canada.

DanaBot, also detected as “Trojan.DanaBot” is mainly a banking Trojan that can steal financial and banking information on the target system. It focus to gather login-credentials of online banking accounts, which can later used to make fraudulent transactions to victimize users.

As its infection vector, it uses malicious emails and exploits kits to spread among the users.

Means Of Propagation Of DanaBot

The malicious payloads of DanaBot is mainly spread through spam email laden with macro-enabled documents. Although, the attachment may appear to be a harmless MS word file, however hides malicious JScript downloader code within.

When the target user open the infected email and attachment,  it executes a Powershell command that further install the JScript downloader. After which, it connects to “hxxp://bbc[.]lumpens[.]org/tXBDQjBLvs.php” the finally drops the installer for DanaBot Trojan.

In recent detection, the Trojan used a link dropper within the spam emails. When user open the link, it opens the Google Docs file. The alleged file contains a VBS script that acts as a DanaBot dropper. Further, the dropper is used to unload the DLL to the “%TEMP%” directory of the system, which further imitates the DLL as a legitimate Windows System service.

Spam Email By DanaBot

Spam Email By DanaBot (Image Source : CheckPoint)

Thus, the DanaBot starts running in the background, whenever the system reboots.

Threat Campaign Of DanaBot In 2019

In 2019, the version DanaBot used a frontloader that initiates downloads of components of the malware. Thus, it can overcome the Windows user account control access. Along with that, It can start communicating with attacker with C2 server and download all the necessary plugins and configuration files. Further, also updates its program and finally installs its main malware.

In the beginning of 2019, it initiated an encrypted communication via C&C server. The threat uses AES-256 encryption method that needs keys for each communication sent packet. Thus, securing its malicious activity.

Since its discovery, DanaBot was involved in various attack campaigns, with updated modules and plugins. Like, in a campaign it cooperation with GootKit, spread various spams. Further found to be dropping Remcos RAT on the target systems.

DanaBot Module Deploy NonRansomware And Demands a Ransom Fee

Furthermore, a “NonRansomware” ransomware campaign started by DanaBot in April 2019. A module written in “Delphi,” named as “crypt” was being distributed by one of the C&C servers. On basis of reports, the researchers claims is to be NonRansomware version of ransomware. As, it appends the  “.non” extension to the encrypted files except the Windows directory. Additionally, it also affects the hard drive.

Like other ransomware, it also creates a ransom note as “HowToBackFiles.txt“. The note can be found in every directory where encryption occurred.

DanaBot Non-Ransomware

DanaBot Non-Ransomware

The text of the ransom note by NonRansomware:

Attention !!!

All your files on this server have been encrypted.
Write this ID in the title of your message

To restore the files need to write to us on e-mail: xihuanya at protonmail dot com

The price of restoration depends on how quickly you write tous.
After payment we will send you a decryption tool that will decrypt all your files.

You can send us up to 3 files for free decryption.
– files should not contain important information
– and their total size should be less than 1 MB

Do not rename encrypted files
Do not try to decrypt your data with third-party software, this can lead to permanent data loss!

Your ID:

The Nonransomware module capable of executing various actions on the system as:

  • Deploying a batch file “b.bat” in %TEMP% and executes it
  • Modifies various Registry Keys and values
  • Kills a large number of system services and running processes and
  • Disables execution of PowerShell policy as “powercfg.exe -h off“,
  • Allowing the execution of malicious scripts.
  • Deletes shadow copies by executing command line: vssadmin delete shadows /all.

However, the researchers at Checkpoint researched NonRansomware ransomware and created a decrypted tool for it.

Decryption tool

Click here to download the NonRansomware Decryptor tool.

Moduler Structure OF DanaBot

The DanaBot is build as a single DLL as its main body. This is mainly designed to connect to its remote ‘Command and Control’ (C2) servers. Further downloading the latest components, plug-ins and updates of the malware.

Other than the main module, it has three components as side modules, that are saved to the disks on the infected machine:

  •  VNCDLL.dll,
  • ProxyDLL.dll and
  • StealerDLL.dll.

Additionally, it installs a network sniffer as “ProxyDLL.dll” and an InfoStealer as “StealerDLL.dll” to steal user credentials. As well as a Virtual Network Computing as “VNCDLL.dll” for remote desktop.

Various Attack Propaganda

  • Stealing credentials stored in browsers as well as FTP clients credentials
  • Collecting crypto-wallets credentials of various digital currency like Ethereum, Electron, Zcach, Bitcoin, Sumocoin, Iota, Expanse, Ark, Pascalcoin and Decent.
  • Running a proxy on an infected machine
  • Perform web-injects in Zeus-style
  • Take screenshots and record video
  • Provide a remote control via RDP or VNC
  • Request updates via TOR
  • Bypass UAC using a WUSA exploit
  • Request updates from C&C server and execute commands

How To Detect DanaBot Malware On Your Computer?

Normally, users may not suspect the presence of  DanaBot, until and unless they notice serious system issues:

Hard Drive crashes;

Performance slow down;

Various applications like anti-virus stops running;

Other than that, if you have recently faced any fraudulent transaction, then it may be because of DanaBot. As in the corononavirus crisis, malware activities have increased several folds. So, as the DanaBot is also spreading increasingly. Thus, users should avoid opening spam emails.

And it is best to have an anti-malware program installed an active in such a situation.

To Remove DanaBot Trojan, Download HitmanPro.Alert and give your system a full scan to completely remove it. For Review And installation Guide 

Protect your computer with HitmanPro Now

More From Unboxhow