DanaBot Now Incorporates Ransomware
A new version of the DanaBot trojan was found in a recent campaign now includes a ransomware component into its code, along with new string encryption and communications protocols. The new version, according to Point researchers, is a significant upgrade to the malware. The researchers also reported there is a possible way to recover files encrypted by the newly added DanaBot ransomware component. For almost a year, DanaBot has been extending its capabilities and evolving into a more sophisticated threat.
Early versions of DanaBot were first reported in 2018, when it was considered a novel banking trojan used in phishing campaigns targeting customers in Australia and Canada leveraging web injections. According to Check Point, recent DanaBot campaigns have migrated to Europe and are now dropping executable files containing ransomware written in the programming language Delphi. Additional capabilities include stealing browser credentials, running a local proxy to manipulate web traffic and initiating remote desktop control on targeted systems. The initial means of infection is still a phishing attack. Hackers send messages enticing recipients to interact with an attachment that downloads a VBS script, which function as the DanaBot dropper.
In January, the DanaBot downloader changed its communication protocol, obscuring it with the AES256 encryption. The new protocol was described in detail by ESET researchers. AES256 stands for Advanced Encryption Standard, and in this context allows hackers to cloak communication between the client and the command-and-control servers ( C2s ) operated by the hackers.
The addition of a ransomware component to DanaBot was spotted in May by Check Point. The samples indicated that operators had tweaked a variant of NonRansomware. NonRansomware ransomware enumerates files on local drives and encrypts all of them except the Windows directory. The encrypted files have a .non extension. A ransom message HowToBackFiles.txt is placed in each directory which contains encrypted files. The password is a string representation of the system volume serial number. Every file is encrypted in a separate thread. The victim ID which is shown in the ransom message is generated from the password according [to a specific algorithm].
Check Point was able to come up with a way to restore encrypted files by calling the DecodeFile function for all the encrypted files with a password brute-forced using the known victim ID. The ransomware is still a stable source of income for hackers and with simple copy-paste encryptors, will continue to emerge constantly.