| Name | Danabot |
| Type of Malware | Banking Trojan |
| Location – Country of Origin | Russia. First seen in Australia |
| Date of initial activity | 2018 |
| Motivation | Stolen banking information, passwords, identity theft, victim’s computer added to a botnet. |
| Attack Vectors | Infected email attachments, malicious online advertisements, social engineering, software cracks. |
| Targeted System | Windows |
Overview
Danabot is a modular banking Trojan written in Delphi that targets the Windows platform. The malware, which was first observed in 2018, is distributed via malicious spam emails. From May 2018 to June 2020, DanaBot was a fixture in the crimeware threat landscape. Proofpoint researchers observed multiple threat actors with at least 12 affiliate IDs in version 2 and 38 IDs in version 3. These affiliate identifications (IDs) represent the threat actors the DanaBot operators serve. After June 2020, there was a sharp decline in DanaBot activity in Proofpoint’s data and in public threat intel repositories (e.g. MalwareBazaar and #DanaBot). It disappeared from the threat landscape without a clear cause.
Targets
Financial institutions predominantly located in the United States, Canada, Germany, United Kingdom, Australia, Italy, Poland, Mexico, and Ukraine.
Tools/ Techniques Used
Once a device is infected, the malware downloads updated configuration code and other modules from the C&C server. Available modules include a “sniffer” to intercept credentials, a “stealer” to steal passwords from popular applications, a “VNC” module for remote control, and more.
Impact / Significant Attacks
Large Software Supply Chain Attack (October 22, 2021).
Second Large Software Supply Chain Attack (November 4, 2021).
DDoS Attack on Russian Language Electronics Forum (October 2021)
Indicators of Compromise (IoCs)
hxxps://citationsherbe\.at/sdd.dll
2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd
