ESET has discovered new versions of the DanaBot Trojan.
The fast-paced modular trojan DanaBot has undergone new changes. In the version released at the end of January 2019, a completely new communication protocol was implemented, adding several levels of encryption to the communication of the Trojan and its C & C server. In addition, the DanaBot architecture and campaign identifiers have been changed.
After being discovered in May 2018 as part of a spam campaign targeting Australia, DanaBot featured in a number of other attacks, including a spam campaign in Poland, Italy, Germany, Austria and Ukraine , as well as the United States . In European campaigns, the Trojan's functionality has been expanded with the help of new plug-ins and spamming capabilities .
On January 25, we detected in the telemetry data unusual executable files associated with DanaBot. Further verification revealed that these binary files are indeed versions of DanaBot, but they use a different communication protocol to communicate with the C & C server. Since January 26, Trojan operators have stopped assembling binary files with the old protocol.
At the time of writing this post, the new version of DanaBot was distributed under two scenarios:
In the protocol that was used until January 25, the packets were not encrypted, as shown in Figure 1.
Figure 1. Interception of the packet, showing the old protocol with data in the unencrypted form
After completion, DanaBot uses AES and RSA encryption algorithms in communication with the C & C server. The new communication protocol is more complicated because it uses several levels of encryption, as shown in the figure below.
Figure 2. Diagram of the new DanaBot communication protocol
These changes avoid detection using existing network signatures and make it difficult to write new rules for intrusion detection and prevention systems. In addition, without access to the corresponding RSA keys, it is impossible to decode packets sent or received; thus, RSAP files from cloud analysis systems (such as ANY.RUN ) are unsuitable for research.
Figure 3. Packet capture with a new communication protocol.
Each packet sent by the client has a 24 (0x18) -byte header:
For each packet, the header is followed by the packet data encrypted with AES, then a 4-byte value indicating the size of the AES offset, and then the key AES encrypted RSA. All packages are encrypted with different AES keys.
Server responses use the same format. Unlike previous versions, the package data in the server responses does not correspond to any particular structure (with some exceptions).
The previous package data structure was described in detail by Proofpoint in October 2018. In the latest version of DanaBot, this scheme is slightly modified, as shown in the figure below.
Figure 4. Comparing the package data structure in the old and new versions of DanaBot
In addition to the communication protocol, the architecture has been slightly modified in DanaBot. Previous versions of the Trojan included the component that downloaded and executed the main module. Then the main module loaded and executed plugins and configurations.
In the latest version, these functions are performed by the new loader, which is used to download all the plug-ins along with the main module. Persistence is ensured by registering the loader component as a service.
Figure 5. Comparing the architecture of the old and the new versions of DanaBot
According to the analysis, the bootloader component uses the following commands:
The downloaded plugins and configuration files are encrypted with the AES key obtained from the client ID. In addition, plugins are archived in ZIP format using LZMA compression, while configuration files are zlib.
Commands with ID 0x130–0x134 are sent by the main module:
A previous study showed that DanaBot is distributed under different IDs.
In the previous version of DanaBot, about 20 campaign identifiers were used . In the latest version of the identifiers have changed slightly. As of February 5, 2019, we see the following IDs:
In 2018, we observed the development of DanaBot in terms of distribution and functionality . In early 2019, the Trojan underwent "internal" changes, indicating the active work of its creators. Recent updates suggest that the creators of DanaBot are making efforts to avoid detection at the network level. It is possible that the Trojan authors pay attention to published studies in order to promptly make changes to the code, ahead of the developers of security products.
ESET products detect and block all DanaBot components and plugins. Detection names are listed in the next section.
C & C-servers used by the new version DanaBot Servers for Web of Injection and redirect Examples hashes New build DanaBot released regularly, so we can provide only a portion of hashes: dropper Win32 / TrojanDropper.Danabot.O Loader (x86), ID = 3 Win32 / Spy .Danabot.L Downloader (x64), ID = 3 Win64 / Spy.Danabot.G Downloader (x86), ID = 9 Win32 / Spy.Danabot.I Downloader (x64), ID = 9 Win64 / Spy.Danabot.F Main module (x86) Win32 / Spy.Danabot.K Main module (x64) Win64 / Spy.Danabot.C Plugins RDPWrap Win32 / Spy.Danabot.H Stealer (x86) Win32 / Spy.Danabot.C
Stealer (x64)
Sniffer
VNC
TOR
DanaBot Evolution
After being discovered in May 2018 as part of a spam campaign targeting Australia, DanaBot featured in a number of other attacks, including a spam campaign in Poland, Italy, Germany, Austria and Ukraine , as well as the United States . In European campaigns, the Trojan's functionality has been expanded with the help of new plug-ins and spamming capabilities .
On January 25, we detected in the telemetry data unusual executable files associated with DanaBot. Further verification revealed that these binary files are indeed versions of DanaBot, but they use a different communication protocol to communicate with the C & C server. Since January 26, Trojan operators have stopped assembling binary files with the old protocol.
At the time of writing this post, the new version of DanaBot was distributed under two scenarios:
- as “updates” delivered to the victims of DanaBot;
- by spamming (in Poland).
New communication protocol
In the protocol that was used until January 25, the packets were not encrypted, as shown in Figure 1.
Figure 1. Interception of the packet, showing the old protocol with data in the unencrypted form
After completion, DanaBot uses AES and RSA encryption algorithms in communication with the C & C server. The new communication protocol is more complicated because it uses several levels of encryption, as shown in the figure below.
Figure 2. Diagram of the new DanaBot communication protocol
These changes avoid detection using existing network signatures and make it difficult to write new rules for intrusion detection and prevention systems. In addition, without access to the corresponding RSA keys, it is impossible to decode packets sent or received; thus, RSAP files from cloud analysis systems (such as ANY.RUN ) are unsuitable for research.
Figure 3. Packet capture with a new communication protocol.
Each packet sent by the client has a 24 (0x18) -byte header:
For each packet, the header is followed by the packet data encrypted with AES, then a 4-byte value indicating the size of the AES offset, and then the key AES encrypted RSA. All packages are encrypted with different AES keys.
Server responses use the same format. Unlike previous versions, the package data in the server responses does not correspond to any particular structure (with some exceptions).
Data packet structure
The previous package data structure was described in detail by Proofpoint in October 2018. In the latest version of DanaBot, this scheme is slightly modified, as shown in the figure below.
Figure 4. Comparing the package data structure in the old and new versions of DanaBot
DanaBot architecture changes
In addition to the communication protocol, the architecture has been slightly modified in DanaBot. Previous versions of the Trojan included the component that downloaded and executed the main module. Then the main module loaded and executed plugins and configurations.
In the latest version, these functions are performed by the new loader, which is used to download all the plug-ins along with the main module. Persistence is ensured by registering the loader component as a service.
Figure 5. Comparing the architecture of the old and the new versions of DanaBot
Teams
According to the analysis, the bootloader component uses the following commands:
- 0x12C - Hello. The first command sent from client to server
- 0x12D - download 32/64-bit launcher component
- 0x12E - request list of plugins and configuration files
- 0x12F - load plugins / configuration files
The downloaded plugins and configuration files are encrypted with the AES key obtained from the client ID. In addition, plugins are archived in ZIP format using LZMA compression, while configuration files are zlib.
Commands with ID 0x130–0x134 are sent by the main module:
- 0x130 - transfer the collected information to a C & C server (for example, a screenshot of the victim's computer; system data)
- 0x131 - transfer the collected information to a C & C server (for example, a list of files on the infected computer’s hard disk)
- 0x132 - request further commands from the C & C server. There are about 30 commands typical for backdoors, including running plugins, collecting system information and changing files in the client system.
- 0x133 - update the list of C & C servers via Tor proxy
- 0x134 - exact destination unknown, most likely used for communication between plugins and C & C server
Changing Campaign IDs
A previous study showed that DanaBot is distributed under different IDs.
In the previous version of DanaBot, about 20 campaign identifiers were used . In the latest version of the identifiers have changed slightly. As of February 5, 2019, we see the following IDs:
- ID = 2 apparently, test version, serving a small number of configuration files, without web injects
- ID = 3 is actively distributed, targeted at users in Poland and Italy, serves all configuration files and web injections for Polish and Italian purposes.
- ID = 5 serves configuration files for Australian purposes.
- ID=7 распространяется только в Польше, обслуживает веб-инжекты для польских целей
- ID=9 по видимости, также является тестовой версией с ограниченным распространением и без специального таргетинга, обслуживает ограниченное число файлов конфигурации, без веб-инжектов
Выводы
In 2018, we observed the development of DanaBot in terms of distribution and functionality . In early 2019, the Trojan underwent "internal" changes, indicating the active work of its creators. Recent updates suggest that the creators of DanaBot are making efforts to avoid detection at the network level. It is possible that the Trojan authors pay attention to published studies in order to promptly make changes to the code, ahead of the developers of security products.
ESET products detect and block all DanaBot components and plugins. Detection names are listed in the next section.
Compromise Indicators (IoCs)
C & C-servers used by the new version DanaBot Servers for Web of Injection and redirect Examples hashes New build DanaBot released regularly, so we can provide only a portion of hashes: dropper Win32 / TrojanDropper.Danabot.O Loader (x86), ID = 3 Win32 / Spy .Danabot.L Downloader (x64), ID = 3 Win64 / Spy.Danabot.G Downloader (x86), ID = 9 Win32 / Spy.Danabot.I Downloader (x64), ID = 9 Win64 / Spy.Danabot.F Main module (x86) Win32 / Spy.Danabot.K Main module (x64) Win64 / Spy.Danabot.C Plugins RDPWrap Win32 / Spy.Danabot.H Stealer (x86) Win32 / Spy.Danabot.C
84.54.37[.]102
89.144.25[.]243
89.144.25[.]104
178.209.51[.]211
185.92.222[.]238
192.71.249[.]5147.74.249[.]106
95.179.227[.]160
185.158.249[.]14498C70361EA611BA33EE3A79816A88B2500ED78440DF17562844B7A0A0170C9830921C3442D59C73CB816E90E9B71C85539EA3BB897E4F234A0422F855F085B19657D2511A89F3172B7887CE29FC707924075375A08273E65C223116ECD2CEF903BA97B1E28139782562B0E4CAB7F7885ECA75DFCA5E1D570B1FF7285B49F36FE8D65E7B896FCCDB1618EAA4B890B5473B419057F89802E0B6DA011B315F3EF94E50A03D12DDAC6EA626718286650B9BB858B2E69Stealer (x64)
9B0EC454401023DF6D3D4903735301BA669AADD1Win64 / Spy.Danabot.E Sniffer
DBFD8553C66275694FC4B32F9DF16ADEA74145E6Win32 / Spy.Danabot.B VNC
E0880DCFCB1724790DFEB7DFE01A5D54B33D80B6Win32 / Spy.Danabot.D TOR
73A5B0BEE8C9FB4703A206608ED277A06AA1E384Win32 / Spy.Danabot.G