• The malware’s early campaign targeted Australia but later switched to targeting Europe.
  • Experts found that a threat actor that generally distributes the Panda banking trojan, switched to spreading DanaBot.

The prolific DanaBot malware has just switched its target base and is now targeting victims in the US. The malware was first discovered in May 2018, when it was targeting victims in Australia. Since then, DanaBot has been updated several times and has also switched to targeting Europe.

However, DanaBot’s most recent campaign has been targeting victims in the US. Security researchers at Proofpoint discovered that in September, a threat actor that generally distributes the Panda banking trojan switched to spreading DanaBot. The researchers have already observed hundreds of thousands of spam emails targeting victims in the US.

DanaBot features

DanaBot contains a loader that downloads and the main component, as well as a feature that downloads, configures, and loads modules. In this campaign, DanaBot version 2.003, the latest version of the malware, emerged. The malware contains quite a bit of junk code, such as extra instructions, loops, and conditional statements.

According to researchers, these features, when combined with the use of Delphi, make reverse engineering DanaBot a significant challenge.

“In addition, DanaBot uses Windows API function hashing and encrypted strings to prevent analysts and automated tools from easily determining the code’s purpose,” Proofpoint researchers said in a blog. “Adoption by high-volume actors, though, as we saw in the US campaign, suggests active development, geographic expansion, and ongoing threat actor interest in the malware. The malware itself contains a number of anti-analysis features, as well as updated stealer and remote control modules, further increasing its attractiveness and utility to threat actors.”

So far, DanaBot has targeted Australia, Poland, Germany, Italy, Austria and more recently, the US.

Cyware Publisher