A new sample of the DanaBot trojan spotted in a recent campaign reveals that operators behind the malware have now included a ransomware component into its code, along with new string encryption and communications protocols.
The update, wrote Check Point researchers on Thursday, represents a significant upgrade to the malware. However, the researchers also reported they have devised a possible way to recover files encrypted by the newly added DanaBot ransomware component.
“For almost a year, DanaBot has been extending its capabilities and evolving into a more sophisticated threat,” wrote Check Point researchers Yaroslav Harakhavik and Aliaksandr Chailytko, in a breakdown of the malware’s latest components. “We assume its operators will continue to add more improvements.”
Early variants of DanaBot were first reported in 2018, when it was considered a novel banking trojan used in phishing campaigns targeting customers in Australia and Canada – leveraging web injections and stealer functions.
According to Check Point, recent DanaBot campaigns have migrated to Europe and are now dropping executable files containing ransomware written in the programming language Delphi. Additional capabilities include stealing browser credentials, running a local proxy to manipulate web traffic and initiating remote desktop control on targeted systems.
The initial means of infection is still a phishing attack. Attackers send messages enticing recipients to interact with an attachment that downloads a VBS script, which function as the DanaBot dropper.
“In January, the DanaBot downloader changed its communication protocol, obscuring it with the AES256 encryption. The new protocol was described in detail by ESET,” researchers wrote. AES256 stands for Advanced Encryption Standard, and in this context allows operators to cloak communication between the client and the command-and-control servers (C2s) operated by the adversaries.
The addition of a ransomware component to DanaBot was spotted in May by Check Point. The samples indicated that operators had tweaked a variant of NonRansomware.
According the Check Point, NonRansomware ransomware enumerates files on local drives and encrypts all of them except the Windows directory. “The encrypted files have a .non extension. A ransom message HowToBackFiles.txt is placed in each directory which contains encrypted files (AES128),” they wrote.
They added, “The password is a string representation of the system volume serial number. Every file is encrypted in a separate thread. The victim ID which is shown in the ransom message is generated from the password (i.e. C disk serial number) according [to a specific algorithm].”
Check Point was able to devise a way to restore encrypted files by calling “the DecodeFile function for all the encrypted files with a password brute-forced using the known victim ID.” The tool for file decryption can be found within its DanaBot report.
Check Point notes that ransomware is still a stable source of income for cybercriminals. “Therefore such simple ‘copy-paste’ encryptors as the one that was described here will continue to emerge constantly,” researchers said.