A dangerous strain of malware has re-emerged using a distribution method that tricks users into downloading malicious software disguised as VPNs, anti-virus programs, or online games.
The malware, DanaBot, was frequently employed by threat actors between May 2018 and June 2020, before seemingly going on hiatus.
DanaBot is now being distributed by websites offering pirated or cracked versions of various software solutions. The trojan malware is capable of stealing an individual’s online banking credentials.
“For almost two years, DanaBot was one of the top banking malwares being used in the crimeware threat landscape,” Proofpoint researchers explained.
“Multiple threat actors were distributing and using it to target financials in many countries. In the middle of 2020, DanaBot activity dropped off. Some of the affiliates that were using it have continued their campaigns using other banking malware (e.g. Ursnif and Zloader). It is unclear whether COVID-19, competition from other banking malware, redevelopment time, or something else caused the dip, but it looks like DanaBot is back and trying to regain its foothold in the threat landscape.”
The DanaBot malware works by hiding two stealer components within the software key of pirated tools. The first software key is used to collect browser details, system information, and cryptocurrency wallets from the victim, while the second is used to install a cryptocurrency miner.
It is likely that the use of DanaBot will increase now that the malware has made its return to the threat landscape. In particular, the crypto mining feature included in the latest variant of DanaBot may signal that future attacks may be more focused on the cryptocurrency space.
With DanaBot’s return, individuals should be even more careful to only download software from trusted sources. It is not uncommon for malware to be secretly bundled with pirated material.