Threat Intelligence

DanaBot Malware Adds Spam to its Menu

A new generation of modular malware increases its value to criminals.

Malware authors adding to the capabilities of their malicious software is nothing new. But a recently discovered addition of spam-generation to a banking Trojan package demonstrates how criminals are adding email capabilities to increase ways to both distribute and monetize it.

DanaBot, the malware at the center of the new discovery by ESET and Proofpoint, was first described by Proofpoint researchers in May of this year. It was, at the time, a relatively simple banking Trojan spread by an actor known for purchasing malware from other authors.

But a new campaign has DanaBot distributing a malicious payload related to GootKit, an advanced banking Trojan. It's an example of a criminal actor bringing together modular malware from two criminal organizations that have, in the past, been known for working independently.

"This follows along with a trend that we're seeing it with the actors who, instead of distributing just a straight banking Trojan or ransomware, are distributing full-featured malware," says Christopher Dawson, threat intelligence lead at Proofpoint. "We're seeing lots more Remote Access Trojans being distributed. And you know a RAT being submitted by a financially motivated actor is kind of a big deal."

Dawson says that the financial motivation means that the authors of malware like DanaBot are going to try to maximize the return on their development investment, so they're likely to continue adding features.

DanaBot's new capabilities include harvesting email addresses from a victim's computer and using those addresses for spam messages that seek to spread the malware to systems both on the victim's network and to other, unrelated networks.

The growing trend to use modular design in malware makes it easier for threat actors to add capabilities to existing software for new campaigns. Describing the new DanaBot activity, ESET researchers wrote that "part of DanaBot's configuration has a structure we have previously seen in other malware families, for example Tinba or Zeus. This allows its developers to use similar webinject scripts or even reuse third-party scripts."

What to Do

So what does this shift mean for enterprise security teams? "It's really reinforcing that old message; layered security, robust backups, robust patching regimens. This is the same message over and over," Dawson says. 

While it's hard to maintain multiple systems, endpoint security, edge security, app security and everything else, he says, "it's just it is the nature of the beast that you've got to be able to catch malware at every step."

Dawson says the question of whether it's the work of a criminal organization or a nation-state actor ultimately makes little difference. "While nation-state actors get the bulk of the mass media press, the nature of the threat means that ultimately the victim has something that the attacker wants," he says. "But most of what we see is crimeware. These are are financially motivated actors and they are just doing their best to monetize their efforts."

Related Content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20735
PUBLISHED: 2019-01-17
** DISPUTED ** An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only...
CVE-2019-0624
PUBLISHED: 2019-01-17
A spoofing vulnerability exists when a Skype for Business 2015 server does not properly sanitize a specially crafted request, aka "Skype for Business 2015 Spoofing Vulnerability." This affects Skype.
CVE-2019-0646
PUBLISHED: 2019-01-17
A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team.
CVE-2019-0647
PUBLISHED: 2019-01-17
An information disclosure vulnerability exists when Team Foundation Server does not properly handle variables marked as secret, aka "Team Foundation Server Information Disclosure Vulnerability." This affects Team.
CVE-2018-20727
PUBLISHED: 2019-01-17
Multiple command injection vulnerabilities in NeDi before 1.7Cp3 allow authenticated users to execute code on the server side via the flt parameter to Nodes-Traffic.php, the dv parameter to Devices-Graph.php, or the tit parameter to drawmap.php.