silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,057
- Content source
- https://threatpost.com/danabot-malware-roars-back/163358/
Researchers are warning that a new fourth version of the DanaBot banking trojan has surfaced after months of mysteriously going quiet. The latest variant, still under analysis by researchers, is raising concerns given the number of past DanaBot effective campaigns.
From May 2018 to June 2020, DanaBot has been a fixture in the crimeware threat landscape, according to Proofpoint, which first discovered the malware in 2018 and posted a debrief on the latest variant Tuesday.
“Starting in late October 2020, we observed a significant update to DanaBot samples appearing in VirusTotal,” wrote Dennis Schwarz, Axel F. and Brandon Murphy, in the collaborative Tuesday report. “While it has not returned to its former scale, DanaBot is malware that defenders should put back on their radar.”
In general, DanaBot’s multi-stage infection chain starts with a dropper that triggers a cascading evolution of hacks. These include stealing network requests, siphoning off application and service credentials, data exfiltration of sensitive information, ransomware infection, desktop screenshot spying and the dropping of a cryptominer to turn targeted PCs into cryptocurrency worker bees.
With its current analysis, Proofpoint focused on the specific technical changes within the malware’s “Main component.” That facet of the malware included anti-analysis features along with:
LNK files (or Windows shortcut files) are files created by Windows automatically, whenever a user opens their files. These files are used by Windows for connecting a file type to a specific application used to view or edit digital content.
- Some Windows API functions are resolved at run-time.
- When a malware-related file is read or written to the filesystem, it is done in the middle of benign decoy file reads or writes.
- Persistence is maintained by creating an LNK file that executes the main component in the user’s Startup directory.
DanaBot Malware Roars Back into Relevancy
Sophisticated and dangerous, DanaBot has resurfaced after laying dormant for seven months.
threatpost.com