Danabot: Analyzing a fallen empire

As introduced by the US Division of Justice – the FBI and US DoD’s Protection Prison Investigative Service (DCIS) have managed to disrupt the infrastructure of the infamous infostealer, Danabot. ESET is without doubt one of the many cybersecurity firms to take part on this long-term endeavor, turning into concerned again in 2018. Our contribution included offering technical analyses of the malware and its backend infrastructure, in addition to figuring out Danabot’s C&C servers. The joint takedown effort additionally led to the identification of people answerable for Danabot growth, gross sales, administration, and extra. ESET took half within the effort alongside with Amazon, CrowdStrike, Flashpoint, Google, Intel471, PayPal, Proofpoint, Staff Cymru, Zscaler, Germany’s Bundeskriminalamt, the Netherlands’ Nationwide Police, and the Australian Federal Police.

These legislation enforcement operations have been performed underneath Operation Endgame – an ongoing international initiative aimed toward figuring out, dismantling, and prosecuting cybercriminal networks. Coordinated by Europol and Eurojust, the operation efficiently took down essential infrastructure used to deploy ransomware by malicious software program.

Since Danabot has largely been disrupted, we are going to use this chance to share our insights into the workings of this malware-as-a-service (MaaS) operation, protecting the options used within the newest variations of the malware, the authors’ enterprise mannequin, and an summary of the toolset supplied to associates. Other than exfiltrating delicate knowledge, we’ve noticed that Danabot can be used to ship additional malware – together with ransomware – to an already compromised system.

Key factors of the blogpost:

• ESET Analysis has been monitoring Danabot’s exercise since 2018 as a part of a world effort that resulted in a significant disruption of the malware’s infrastructure.
• Whereas primarily developed as an infostealer and banking trojan, Danabot additionally has been used to distribute extra malware, together with ransomware.
• Danabot’s authors promote their toolset by underground boards and provide varied rental choices to potential associates.
• The standard toolset supplied by Danabot’s authors to their associates contains an administration panel software, a backconnect device for real-time management of bots, and a proxy server software that relays the communication between the bots and the precise C&C server.
• Associates can select from varied choices to generate new Danabot builds, and it’s their accountability to distribute these builds by their very own campaigns.

Background

Danabot, which belongs to a gaggle of infostealer and/or banking malware households coded within the Delphi programming language, gained prominence in 2018 by being utilized in a spam marketing campaign focusing on Australian customers. Since then, Danabot has expanded to different markets by varied campaigns, undergone a number of main updates of its internals and backend infrastructure, and skilled each peaks and downturns in reputation amongst cybercriminals.

All through our monitoring since 2018, ESET has tracked and analyzed a considerable variety of distinct samples and recognized greater than 1,000 distinctive C&C servers. Throughout that interval, ESET analyzed varied Danabot campaigns everywhere in the world, with Poland traditionally being one of the vital focused nations, as seen in Determine 1.

Along with typical cybercrime, Danabot has additionally been utilized in much less typical actions resembling using compromised machines for launching DDoS assaults. For instance, a DDoS assault towards Ukraine’s Ministry of Protection was noticed by Zscaler quickly after the Russian invasion of Ukraine. A really related DDoS module to the one utilized in that assault was additionally utilized by a Danabot operator to focus on a Russian website devoted to Arduino growth. These actions have been most likely motivated by the affiliate’s personal ambitions and political motivations.

Danabot group introduction

The authors of Danabot function as a single group, providing their device for hire to potential associates, who subsequently make use of it for their very own malicious functions by establishing and managing their very own botnets. The authors have even arrange a assist web page on the Tor community with detailed details about the capabilities of their device, as depicted in Determine 2.

To accumulate new prospects, Danabot is ceaselessly promoted in underground boards by the consumer JimmBee, who acts as one of many principal builders and directors of the Danabot malware and its toolset. One other noteworthy individual from the Danabot group is a consumer identified in underground boards as Onix, who coadministers the Danabot infrastructure and can be answerable for gross sales operations.

Function overview

Danabot’s authors have developed an unlimited number of options to help prospects with their malevolent goals. Essentially the most outstanding options supplied by Danabot embody:

• the flexibility to steal varied knowledge from browsers, mail purchasers, FTP purchasers, and different widespread software program,
• keylogging and display screen recording,
• real-time distant management of the victims’ techniques,
• a FileGrabber command, generally used for stealing cryptocurrency wallets,
• assist for Zeus-like webinjects and kind grabbing, and
• arbitrary payload add and execution.

Apart from using its stealing capabilities, we’ve noticed quite a lot of payloads being distributed by Danabot through the years, resembling:

• SystemBC,
• Rescoms,
• Ursnif,
• Smokeloader,
• Zloader,
• Lumma Stealer,
• RecordBreaker,
• Latrodectus, and
• NetSupportManager distant administration device.

Moreover, we’ve encountered cases of Danabot getting used to obtain ransomware onto already compromised techniques. We are able to title LockBit, Buran, Disaster, and a NonRansomware variant being pushed on a number of events.

Danabot’s means to obtain and execute arbitrary payloads is just not the one function used to distribute extra malware. Danabot was additionally noticed getting used as a device at hand off management of the botnet to a ransomware operator, as reported by Microsoft Risk Intelligence in late 2023.

Distribution strategies

All through its existence, based on our monitoring, Danabot has been a device of selection for a lot of cybercriminals and every of them has used totally different technique of distribution. Danabot’s builders even partnered with the authors of a number of malware cryptors and loaders, and supplied particular pricing for a distribution bundle to their prospects, serving to them with the method. Matanbuchus is an instance of such a promoted loader.

Through the years, we’ve seen all kinds of distribution strategies being utilized by Danabot associates, together with:

• quite a few variants of electronic mail spam campaigns,
• different malware resembling Smokeloader, DarkGate, and Matanbuchus, and
• misuse of Google Advertisements.

Not too long ago, out of all distribution mechanisms we noticed, the misuse of Google Advertisements to show seemingly related, however truly malicious, web sites among the many sponsored hyperlinks in Google search outcomes stands out as one of the vital outstanding strategies to lure victims into downloading Danabot. The most well-liked ploy is packing the malware with reputable software program and providing such a bundle by bogus software program websites (Determine 3) or web sites falsely promising customers to assist them discover unclaimed funds (Determine 4).

The most recent addition to those social engineering methods: misleading web sites providing options for fabricated pc points, whose solely goal is to lure the sufferer into execution of a malicious command secretly inserted into the consumer’s clipboard. An instance of such a web site resulting in downloading of Danabot in Determine 5.

Infrastructure

Overview

Initially, Danabot’s authors relied on a single centralized server to handle all bots’ connections and all associates’ knowledge, resembling command configurations and knowledge collected from their victims. This centralized strategy definitely had a detrimental influence on that server’s efficiency and was extra vulnerable to potential disruptions. That is most likely one of many the reason why we noticed a shift within the enterprise and infrastructure fashions in newer variations. Along with renting locations on their very own infrastructure, Danabot’s authors now provide set up of a personal server, as marketed on their assist website, to be operated by the affiliate (Determine 6).

The rental choices, as supplied by an underground discussion board in July 2023, are illustrated in Determine 7.

It’s value mentioning that, primarily based on our monitoring, the rental of an account on the shared infrastructure managed by Danabot’s authors appears to be the most well-liked selection for risk actors.

When associates buy a rental of one of many choices, they’re given instruments and credentials to hook up with the C&C server and handle their very own botnet by an administration panel. Within the following sections, we cowl the totally different components of the standard toolset.

C&C server software

The standalone server software comes within the type of a DLL file and acts because the mind of the botnet. It’s put in on a Home windows server and makes use of a MySQL database for knowledge administration. Bots connect with this server to transmit stolen knowledge and obtain instructions issued by associates. Associates connect with this server by way of the administration panel software to handle their botnet. This C&C server software is offered for native set up just for associates paying for the upper tier private server possibility. Associates who select to function their botnets on Danabot’s infrastructure as a substitute are given connection particulars to the C&C server already arrange there, and don’t have to host their very own C&C server.

Administration panel

The administration panel, displayed in Determine 8, is within the type of a GUI software, and represents an important device from the botnet operator’s perspective. It permits the affiliate to hook up with the C&C server and carry out duties resembling:

• handle bots and retrieve statistics of the botnet,
• concern varied instructions and superior configuration for bots,
• conveniently view and export knowledge gathered from victims,
• handle the notification system and arrange alerts on occasions triggered by bots,
• generate new Danabot builds, and
• arrange a series of proxy servers for communication between the bots and the C&C server.

We offer extra particulars and examples of essentially the most fascinating capabilities of the administration panel within the upcoming sections.

Backconnect device

One other essential device for administration is the standalone utility that permits botnet operators to remotely connect with and management their on-line bots. Accessible actions for distant management, as seen within the device, are illustrated in Determine 9. Most likely essentially the most fascinating options for cybercriminals are the flexibility to see and management the sufferer’s pc by way of a distant desktop connection and to carry out reconnaissance of the file system utilizing the built-in file supervisor.

Proxy server software

Bots sometimes don’t connect with the principle C&C server immediately, however somewhat use a series of proxies to relay the site visitors and conceal the placement of the true backend C&C. To facilitate this technique, Danabot’s authors present a proxy server software, out there for each Home windows and Linux techniques. Determine 10 reveals the utilization message from the Linux model of this straightforward proxy server software. Apart from utilizing proxies, bots could be configured to speak with the server by the Tor community in case all proxy chains turn out to be unavailable. An optionally available downloadable Tor module is then used for such communication.

Associates additionally ceaselessly make the most of this proxy server software as an middleman between their administration panel and the C&C server to additional improve their anonymity. When the whole lot is put collectively, the standard infrastructure could look as proven in Determine 11.

Internals

Communication

Danabot employs its personal proprietary C&C communication protocol with its knowledge encrypted utilizing AES-256. Generated AES session keys, distinctive for each message, are then additional encrypted utilizing RSA key pairs, securing the entire communication. It’s value mentioning that there have been a number of updates to the communication protocol and the packet construction over time.

The present packet knowledge construction of the standard command, earlier than it’s encrypted, seems to be as proven in Desk 1 . We want to level out that a lot of the fields are solely used through the first request within the communication loop to authenticate the bot, and are left unset within the subsequent instructions.

Desk 1. Packet construction utilized in Danabot communication

The latest variations of Danabot additionally add, to additional disguise its communication, a random quantity of seemingly junk bytes to the top of the packet construction earlier than it’s encrypted. It’s value mentioning that Danabot authors don’t at all times observe the most effective coding practices and the addition of this random variety of bytes was accomplished by resizing of the unique reminiscence buffer allotted to carry the packet construction as a substitute of clearing or initializing this newly acquired area. This led to unintentionally together with surrounding reminiscence areas of the method into the info packet being despatched from the bot to the server and, extra importantly, vice versa. These appended reminiscence areas captured and decrypted from the server-to-bot communication generally contained fascinating info from the server’s course of reminiscence and gave researchers invaluable perception into Danabot’s infrastructure and its customers. This bug was launched in 2022 and was fastened within the newest variations of Danabot in February 2025.

Additional particulars concerning the communication and its encryption have been already lined by varied researchers, and we gained’t dive into it extra on this blogpost.

Builds

Botnet operators have a number of choices for producing new Danabot builds to distribute to their victims. To the most effective of our information, whereas the operator could configure the construct course of and desired output by the administration panel software, the construct course of itself is carried out on the Danabot authors’ servers. After producing the chosen construct, the operator receives obtain hyperlinks for the builds and turns into answerable for their distribution in a marketing campaign.

Determine 12 reveals an instance of a construct configuration window and out there choices, such because the C&C server checklist to be configured within the ultimate binary file, varied obfuscation strategies, construct bitness, and so on.

Danabot at present presents 4 primary payload sorts, described in Desk 2.

Desk 2. Variants of obtainable builds

Payload sort	Description
Essential.dll	Generates a sole principal element within the type of a DLL to be distributed and loaded by way of rundll32.exe or regsvr32.exe.
Essential.exe	Generates a loader within the type of an EXE which will comprise the abovementioned principal element DLL or obtain it from one of many configured C&C servers.
Drop.exe	Generates a dropper with an embedded principal element DLL to be dropped to disk.
Drop.msi	Generates an MSI bundle with an embedded principal element DLL to be loaded.

Instructions configuration

A botnet operator can concern a sophisticated configuration to the bots by the administration panel. Bots are then ordered to carry out varied instructions based on the directions obtained. Determine 13 reveals an instance of such a command configuration.

Desk 3 lists the out there instructions that may be issued. Every job has its personal particular choices to additional accommodate the operator’s wants.

Desk 3. Accessible instructions

Command	Description
Video	Report a video of the chosen software or web site.
KeyLogger	Seize keystrokes from the chosen software.
PostFilter	Seize info from sure web sites’ kinds.
WebInject	Enable Zeus-like webinjects on sure loaded web sites to change their operate.
Redirect	Enable redirection of sure URLs.
Block	Block entry to configured URLs.
Screens	Take screenshots of a specific software or web site at sure intervals.
Alerts	Enable notifications to be despatched to a specific Jabber account on a configurable occasion.
Uninstall	Uninstall the bot from the system.
UAC	Present assist for privilege escalation.
FileGrabber	Enable sure recordsdata to be uploaded to the C&C if discovered on the sufferer’s arduous disk.
TorActive	Allow loading of a Tor module and permit connection by way of the Tor community if all C&C servers are inaccessible.
Stealer	Allow/disable the stealer performance and set its replace interval.
TimeOut	Set interval for the bot to contact its C&C server.
Set up	Configure the bot’s set up on the system and its persistence.
Exclusion	Set exclusions in Home windows Defender or Home windows Firewall for a specific course of.
ConfigSave	Save the bot’s configuration earlier than its termination.
HideProcess	Cover the bot’s course of.
CoreProtect	Enable the principle element to be injected into a further course of.

Further payloads

Danabot additionally offers the aptitude to obtain and execute additional executable recordsdata. This function permits the botnet operator to configure the set up of extra malware to the compromised system, as talked about earlier. Determine 14 reveals out there choices for this function within the administration panel software.

Conclusion

Danabot is a large-scale MaaS operation distributing a big selection of instruments for the malware associates’ disposal. Our investigation of this infostealer, which began in 2018, resulted within the evaluation of Danabot’s toolset supplied on this blogpost. The efforts of the authorities and several other cybersecurity firms, ESET included, led to the disruption of the malware’s infrastructure. It stays to be seen whether or not Danabot can get well from the takedown. The blow will, nevertheless, absolutely be felt, since legislation enforcement managed to unmask a number of people concerned within the malware’s operations.

For any inquiries about our analysis printed on WeLiveSecurity, please contact us at threatintel@eset.com. 

ESET Analysis presents non-public APT intelligence stories and knowledge feeds. For any inquiries about this service, go to the ESET Risk Intelligence web page.

IoCs

Recordsdata

Community

MITRE ATT&CK methods

This desk was constructed utilizing model 17 of the MITRE ATT&CK framework.