The DanaBot banking trojan is branching out into new territories, adding email address harvesting and spam distribution to its bag of tricks, while apparently partnering with the actors behind GootKit, another banking malware program.
In a company blog post today, researchers at ESET said they observed DanaBot’s sudden evolution while investigating a September 2018 campaign that leveraged a malicious webinject to target the users of Italian webmail services.
The webinject reportedly allows DanaBot to steal email addresses from victims’ mailboxes and send them to a C2 server. If the webmail service is based on the Open-Xchange messaging and productivity software suite, then DanaBot goes one step further, injecting a script that uses these same mailboxes to send spam to the harvested email addresses.
The spam emails look like legitimate communications from known contacts because they are sent as replies to actual emails. These phony emails would include .zip attachments with a decoy .pdf file and a malicious .vbs file that uses PowerShell to produce additional malware — a downloader for the GootKit banking fraud trojan.
“This is the first time we have seen indicators of DanaBot distributing other malware,” said the ESET blog post. “Until now, DanaBot has been believed to be operated by a single, closed group. The behavior is also new for GootKit, which has been described as a privately held tool, not sold on underground forums, and also operated by a closed group.”
Additional links between DanaBot and GootKit include a shared C&C server subnet and top-level domain, a shared name server and domain registrar for .co domains, and an overlapping spike in activity in Poland in late October and early November.
Finally, ESET also reported that DanaBot’s configuration has echos of the Tinba and Zeus malware families, and its scripts “are almost exactly the same” as scripts previous used by the BackSwap banking malware.