The new version of DanaBot is now found in pirated software keys including ones offering free VPN, anti-virus software and pirated games, etc.
Proofpoint researchers have discovered a new strain of DanaBot malware. It is being distributed through pirated software keys. The user is tricked into downloading infected software disguised as anti-virus programs, VPNs, and online games.
According to researchers, websites offering cracked or pirated versions of the software are distributing the new version of DanaBot, capable of stealing the victim’s online banking credentials.
DanaBot First Discovered in 2019
Hackread.com reported about DanaBot when it was first discovered back in 2019 by Proofpoint researchers. The malware spread itself by installing a Socks5 proxy on infected Windows computers to connect to the C&C server and evade detection by bypassing firewalls.
Within the past two years, the malware kept evolving, and as per Proofpoint researchers, it became one of the top banking malware.
“For almost two years, DanaBot was one of the top banking malware being used in the crimeware threat landscape,” Proofpoint’s Dennis Schwarz, Axel F., and Brandon Murphy wrote in the company’s threat analysis report.
Threat actors frequently employed it between May 2018 and June 2020. During that time, cybercriminals’ primary targets were financial institutions in the UK, USA, Canada, Australia, Germany, Mexico, Poland, Italy, and Ukraine.
Afterward, it didn’t appear in many campaigns. However, now it has re-emerged after a brief hiatus and causing havoc once again.
DanaBot Relaunched in October 2020
The most recent version of the malware was discovered in October 2020. Researchers believe that the malware has undergone some updating, and it is suspected that threat actors will use it in phishing campaigns in the next few months. Its affiliate numbers are also expected to increase.
DanaBot’s new version now includes advanced anti-analysis features and can stay undetected on compromised devices by adding MS LNK shortcut files. It can also target crypto-wallets, which means threat actors aim to steal wallets or login credentials for popular cryptocurrency sites apart from targeting financial institutions.
How DanaBot malware spreads
When a user downloads and executes the software key containing the malware, it loads two stealer components on the compromised device. One of them collects system information, browser data, and cryptocurrency wallets.
The other stealer installs a cryptocurrency miner and the primary DanaBot payload. The payload is responsible for stealing banking credentials.
DanaBot operators operate a global C&C server and its infrastructure. They also sell access to cybercriminal affiliates. Two malware-as-a-service affiliates have adopted the latest version already, while dozens of affiliates use the older version.