Danabot is a banking malware that was first identified in 2018. A fourth version of the malware has resurfaced after being dormant for seven months. The trojan is written in Delphi and has several anti-analysis attributes.
The trojan started its journey by targeting Australian users via malicious URLs. Later, the second version took to targeting U.S. companies in large-scale campaigns. The third strain surfaced in 2019 and had remote C2 capability. This variant propagated either as updates to existing victims or via malspam in Poland.
Now, this latest variant came under the radar of Proofpoint researchers who identified two affiliate IDs using this version. However, the report does not provide any details on the new capabilities of this strain.
Instead of demanding an immediate ransom from victims, Danabot is focused on gaining persistence and stealing data that can be monetized later.
The social engineering tactic used emphasizes quality over quantity in email-based threats.
As it is of modular nature, the trojan can download extra elements, thus, increasing flexibility and remote monitoring functionality. Moreover, it can switch to Tor-based command and control (C&C).
Danabot is assumed to have been set up as malware as a service. Websites advertising pirated software are being used to deliver the latest version of the trojan. Since October 2020, it has targeted users in the U.S., the U.K, Australia, Germany, Canada, Ukraine, Poland, Mexico, and Italy.
The bottom line
The previous versions of Danabot were actively used in criminal activities for almost two years. Although it has not yet established itself back to its former level of activity, researchers suspect that the threat actors are attempting to regain a foothold. It is anticipated that as the number of affiliates grows, the malware will be propagated on a large-scale via phishing campaigns.