A new version of the infamous DanaBot trojan has been discovered by researchers and it seems to be raising serious concerns. Observing the pattern of DanaBot’s previous campaigns, researchers are warning that the fourth variant of the trojan is under analysis to expose its newer cyberthreats.

Researchers confirm that in late October 2020 they had started observing a substantial update to the DanaBot samples. “DanaBot may not have returned to its preceding scale, but is the malware that defenders should definitely screen back on their radar.” comment experts. The malware, previously spanning from May 2018 to June 2020, is a prevalent cyber threat that has been a cause of severe vulnerability exploitation from cybercriminals.

The malware has been distinctive right from its emergence. However, the most recent strain is yet to expose any peculiar new abilities of the existing trojan from the researchers’ reports. 

To the unaware, Danabot is a banker trojan that had formerly targeted companies with large scale organizations based in Australia as well as the US. The first strain was aimed at users in Australia through emails incorporating malicious URLs. The second variant of the trojan attacked many US companies that became a part of a much larger series of large-scale operations. The third one, however, was planted in February 2019 that was highly reinforced with remote command-and-control functionalities.

It is believed that compared to the former cyber attacks, this new variant mostly packs the same lethal repository of tools that had come before. Significant elements contain a ToR component to obscure the communications between the malware and the threat actors.

Also read,

 Researchers believe that DanaBot is set up as a ‘malware as a service’ for cyber-hackers, saying that “It is where one threat actor controls a global command-control panel and infrastructure and then peddles the access to other threat actors considered as subsidiaries.” 

DanaBot’s chain leads with a dropper that triggers a progression of phased infection hacks. These include stealing network requests, diverting application and service credentials, data harvesting of sensitive information, ransomware infection, desktop screenshot spying, and the dropping of a crypto miner to turn targeted computers and systems into cryptocurrency workers.

One of DanaBot’s distribution logics was allegedly believed to be tracked down by developers. these led to multiple cracks websites and software warez that presumably offered software cracks and keys to be downloaded for free, which also included games, document editors, VPNs, graphics editors as well as anti-virus programs. 

The Illegal warez tools or documents that were downloaded from these websites are presumed to be the infection starters for the latest strain. An example of one such website was that it promoted a software key generator and hooked the users into thinking that they were merely downloading a program crack. But these warez files, however, contained many ‘ReadMe’ files and a password-protected archive holding the primary dropper for the malware bundle, ‘setup_x86_x64_install.exe’. 

With the new variant, researchers identified many new IDs, suggesting that the malware-service DanaBot facet was very much active and growing. Some subsidiaries that were using the trojan have continued their attacks using different banking malware. It is unclear whether COVID-19, competition from other banking malware, redevelopment time, or something else caused the dip, but it looks like DanaBot is back and trying to regain its foothold in the threat landscape.