Threat Management, Malware

DanaBot banking trojan adds sly spam feature, distributes GootKit malware

The DanaBot banking trojan is branching out into new territories, adding email address harvesting and spam distribution to its bag of tricks, while apparently partnering with the actors behind GootKit, another banking malware program.

In a company blog post today, researchers at ESET said they observed DanaBot's sudden evolution while investigating a September 2018 campaign that leveraged a malicious webinject to target the users of Italian webmail services.

The webinject reportedly allows DanaBot to steal email addresses from victims' mailboxes and send them to a C2 server. If the webmail service is based on the Open-Xchange messaging and productivity software suite, then DanaBot goes one step further, injecting a script that uses these same mailboxes to send spam to the harvested email addresses.

The spam emails look like legitimate communications from known contacts because they are sent as replies to actual emails. These phony emails would include .zip attachments with a decoy .pdf file and a malicious .vbs file that uses PowerShell to produce additional malware -- a downloader for the GootKit banking fraud trojan.

"This is the first time we have seen indicators of DanaBot distributing other malware," said the ESET blog post. "Until now, DanaBot has been believed to be operated by a single, closed group. The behavior is also new for GootKit, which has been described as a privately held tool, not sold on underground forums, and also operated by a closed group."

Additional links between DanaBot and GootKit include a shared C&C server subnet and top-level domain, a shared name server and domain registrar for .co domains, and an overlapping spike in activity in Poland in late October and early November.

Finally, ESET also reported that DanaBot's configuration has echos of the Tinba and Zeus malware families, and its scripts "are almost exactly the same" as scripts previous used by the BackSwap banking malware.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.