ESET has discovered new versions of the DanaBot Trojan.
The fast-paced modular trojan DanaBot has undergone new changes. In the version released at the end of January 2019, a completely new communication protocol was implemented, adding several levels of encryption to the communication of the Trojan and its C & C server. In addition, the DanaBot architecture and campaign identifiers have been changed.
After being discovered in May 2018 as part of a spam campaign targeting Australia, DanaBot featured in a number of other attacks, including a spam campaign in Poland, Italy, Germany, Austria and Ukraine , as well as the United States . In European campaigns, the Trojan's functionality has been expanded with the help of new plug-ins and spamming capabilities .
On January 25, we detected in the telemetry data unusual executable files associated with DanaBot. Further verification revealed that these binary files are indeed versions of DanaBot, but they use a different communication protocol to communicate with the C & C server. Since January 26, Trojan operators have stopped assembling binary files with the old protocol.
At the time of writing this post, the new version of DanaBot was distributed under two scenarios:
In the protocol that was used until January 25, the packets were not encrypted, as shown in Figure 1.
Figure 1. A packet capture showing the old protocol with unencrypted data
After completion, DanaBot uses the AES and RSA encryption algorithms in communication with the C & C server. The new communication protocol is more complicated because it uses several levels of encryption, as shown in the figure below.
Figure 2. Diagram of the new DanaBot communication protocol
These changes avoid detection using existing network signatures and make it difficult to write new rules for intrusion detection and prevention systems. In addition, without access to the corresponding RSA keys, it is impossible to decode packets sent or received; thus, RSAP files from cloud analysis systems (such as ANY.RUN ) are unsuitable for research.
Figure 3. Capturing a packet with a new communication protocol
Each packet sent by the client has a 24 (0x18) byte header:
For each packet, the header is followed by the packet data encrypted with AES, then a 4-byte value indicating the size of the AES offset, and then the AES key encrypted with RSA. All packages are encrypted with different AES keys.
Server responses use the same format. Unlike previous versions, the package data in the server responses does not correspond to any particular structure (with some exceptions).
The previous package data structure was described in detail by Proofpoint in October 2018. In the latest version of DanaBot, this scheme is slightly modified, as shown in the figure below.
Figure 4. Comparing the package data structure in the old and new versions of DanaBot
In addition to the communication protocol, the architecture has been slightly modified in DanaBot. Previous versions of the Trojan included the component that downloaded and executed the main module. Then the main module loaded and executed plugins and configurations.
In the latest version, these functions are performed by the new loader, which is used to download all the plug-ins along with the main module. Persistence is ensured by registering the loader component as a service.
Figure 5. Comparing the architecture of the old and the new versions of DanaBot
According to the analysis, the bootloader component uses the following commands:
The downloaded plugins and configuration files are encrypted with the AES key obtained from the client ID. In addition, plug-ins are archived in ZIP format using LZMA compression, while configuration files are zlib.
Commands with ID 0x130–0x134 are sent by the main module:
A previous study showed that DanaBot is distributed under different IDs.
In the previous version of DanaBot, about 20 campaign identifiers were used . In the latest version of the identifiers have changed slightly. As of February 5, 2019, we see the following IDs:
In 2018, we observed the development of DanaBot in terms of distribution and functionality . In early 2019, the Trojan underwent "internal" changes, indicating the active work of its creators. Recent updates suggest that the creators of DanaBot are making efforts to avoid detection at the network level. It is possible that the Trojan authors pay attention to published studies in order to promptly make changes to the code, ahead of the developers of security products.
ESET products detect and block all DanaBot components and plugins. Detection names are listed in the next section.
C & C servers used by the new version of DanaBot
Web Injection and Redirect Servers
Hash examples
New DanaBot builds come out regularly, so we can provide only part of the hashes:
Dropper
Boot Loader (x86), ID = 3
Boot Loader (x64), ID = 3
Boot Loader (x86), ID = 9
Boot Loader (x64), ID = 9
The main module (x86)
The main module (x64)
Plugins
RDPWrap
Stealer (x86)
Stealer (x64)
Sniffer
VNC
TOR
DanaBot Evolution
After being discovered in May 2018 as part of a spam campaign targeting Australia, DanaBot featured in a number of other attacks, including a spam campaign in Poland, Italy, Germany, Austria and Ukraine , as well as the United States . In European campaigns, the Trojan's functionality has been expanded with the help of new plug-ins and spamming capabilities .
On January 25, we detected in the telemetry data unusual executable files associated with DanaBot. Further verification revealed that these binary files are indeed versions of DanaBot, but they use a different communication protocol to communicate with the C & C server. Since January 26, Trojan operators have stopped assembling binary files with the old protocol.
At the time of writing this post, the new version of DanaBot was distributed under two scenarios:
- as “updates” delivered to the victims of DanaBot;
- by spamming (in Poland).
New communication protocol
In the protocol that was used until January 25, the packets were not encrypted, as shown in Figure 1.
Figure 1. A packet capture showing the old protocol with unencrypted data
After completion, DanaBot uses the AES and RSA encryption algorithms in communication with the C & C server. The new communication protocol is more complicated because it uses several levels of encryption, as shown in the figure below.
Figure 2. Diagram of the new DanaBot communication protocol
These changes avoid detection using existing network signatures and make it difficult to write new rules for intrusion detection and prevention systems. In addition, without access to the corresponding RSA keys, it is impossible to decode packets sent or received; thus, RSAP files from cloud analysis systems (such as ANY.RUN ) are unsuitable for research.
Figure 3. Capturing a packet with a new communication protocol
Each packet sent by the client has a 24 (0x18) byte header:
For each packet, the header is followed by the packet data encrypted with AES, then a 4-byte value indicating the size of the AES offset, and then the AES key encrypted with RSA. All packages are encrypted with different AES keys.
Server responses use the same format. Unlike previous versions, the package data in the server responses does not correspond to any particular structure (with some exceptions).
Data packet structure
The previous package data structure was described in detail by Proofpoint in October 2018. In the latest version of DanaBot, this scheme is slightly modified, as shown in the figure below.
Figure 4. Comparing the package data structure in the old and new versions of DanaBot
DanaBot architecture changes
In addition to the communication protocol, the architecture has been slightly modified in DanaBot. Previous versions of the Trojan included the component that downloaded and executed the main module. Then the main module loaded and executed plugins and configurations.
In the latest version, these functions are performed by the new loader, which is used to download all the plug-ins along with the main module. Persistence is ensured by registering the loader component as a service.
Figure 5. Comparing the architecture of the old and the new versions of DanaBot
Teams
According to the analysis, the bootloader component uses the following commands:
- 0x12C - Hello. The first command sent from client to server
- 0x12D - download 32/64-bit launcher component
- 0x12E - request list of plugins and configuration files
- 0x12F - load plugins / configuration files
The downloaded plugins and configuration files are encrypted with the AES key obtained from the client ID. In addition, plug-ins are archived in ZIP format using LZMA compression, while configuration files are zlib.
Commands with ID 0x130–0x134 are sent by the main module:
- 0x130 - transfer the collected information to a C & C server (for example, a screenshot of the victim's computer; system data)
- 0x131 - transfer the collected information to a C & C server (for example, a list of files on the infected computer’s hard disk)
- 0x132 - request further commands from the C & C server. There are about 30 commands typical for backdoors, including running plugins, collecting system information and changing files in the client system.
- 0x133 - update the list of C & C servers via Tor proxy
- 0x134 - exact destination unknown, most likely used for communication between plugins and C & C server
Changing Campaign IDs
A previous study showed that DanaBot is distributed under different IDs.
In the previous version of DanaBot, about 20 campaign identifiers were used . In the latest version of the identifiers have changed slightly. As of February 5, 2019, we see the following IDs:
- ID = 2 apparently, a test version serving a small number of configuration files, without web injects
- ID = 3 is actively distributed, targeted at users in Poland and Italy, serves all configuration files and web injections for Polish and Italian purposes.
- ID = 5 serves configuration files for Australian purposes.
- ID = 7 is distributed in Poland only, serves web injections for Polish purposes.
- ID = 9 apparently, is also a test version with limited distribution and without special targeting, serves a limited number of configuration files, without web injects
findings
In 2018, we observed the development of DanaBot in terms of distribution and functionality . In early 2019, the Trojan underwent "internal" changes, indicating the active work of its creators. Recent updates suggest that the creators of DanaBot are making efforts to avoid detection at the network level. It is possible that the Trojan authors pay attention to published studies in order to promptly make changes to the code, ahead of the developers of security products.
ESET products detect and block all DanaBot components and plugins. Detection names are listed in the next section.
Compromise Indicators (IoCs)
C & C servers used by the new version of DanaBot
84.54.37[.]102
89.144.25[.]243
89.144.25[.]104
178.209.51[.]211
185.92.222[.]238
192.71.249[.]51Web Injection and Redirect Servers
47.74.249[.]106
95.179.227[.]160
185.158.249[.]144Hash examples
New DanaBot builds come out regularly, so we can provide only part of the hashes:
Dropper
98C70361EA611BA33EE3A79816A88B2500ED7844 Win32 / TrojanDropper.Danabot.OBoot Loader (x86), ID = 3
0DF17562844B7A0A0170C9830921C3442D59C73C Win32 / Spy.Danabot.LBoot Loader (x64), ID = 3
B816E90E9B71C85539EA3BB897E4F234A0422F85 Win64 / Spy.Danabot.GBoot Loader (x86), ID = 9
5F085B19657D2511A89F3172B7887CE29FC70792 Win32 / Spy.Danabot.IBoot Loader (x64), ID = 9
4075375A08273E65C223116ECD2CEF903BA97B1E Win64 / Spy.Danabot.FThe main module (x86)
28139782562B0E4CAB7F7885ECA75DFCA5E1D570 Win32 / Spy.Danabot.KThe main module (x64)
B1FF7285B49F36FE8D65E7B896FCCDB1618EAA4B Win64 / Spy.Danabot.CPlugins
RDPWrap
890B5473B419057F89802E0B6DA011B315F3EF94 Win32 / Spy.Danabot.HStealer (x86)
E50A03D12DDAC6EA626718286650B9BB858B2E69 Win32 / Spy.Danabot.CStealer (x64)
9B0EC454401023DF6D3D4903735301BA669AADD1 Win64 / Spy.Danabot.ESniffer
DBFD8553C66275694FC4B32F9DF16ADEA74145E6 Win32 / Spy.Danabot.BVNC
E0880DCFCB1724790DFEB7DFE01A5D54B33D80B6 Win32 / Spy.Danabot.DTOR
73A5B0BEE8C9FB4703A206608ED277A06AA1E384 Win32 / Spy.Danabot.GSource: https://habr.com/ru/post/439588/