- DanaBot campaigns targeted at European countries also drop a ransomware executable onto target systems.
- The trojan also comes with new plugins, configuration files, and other updates.
Banking trojan DanaBot, which is known to target organizations across Europe, North America, and Australia, has been found being distributed with a ransomware module. Security researchers from CheckPoint came across this new variant in few of the recent DanaBot campaigns. According to the researchers, DanaBot also had new plugins, configuration files, string encryptions, file name generation algorithms as well as had a different communication protocol.
- In a report by CheckPoint, researchers indicate that the new DanaBot is also spread through phishing emails that contain a malicious link. This link acts as a dropper for DanaBot.
- On top of having a new communication protocol, the researchers found that the recent campaigns used additional plugins and configuration files for DanaBot.
- Coming to the ransomware module, it was identified to be a variant of “NonRansomware”, which is known for enumerating files on local drives and encrypting them except for the Windows directory.
- After execution, the ransomware runs a Batch script. This script performs a host of actions which includes disabling Windows Defender, removing system logs amongst others. Furthermore, it schedules a task that executes the ransomware every 14 minutes until a certain period and then proceeds with encryption.
CheckPoint researchers hint that the threat actors behind DanaBot continue to keep updating the trojan. “For almost a year, DanaBot has been extending its capabilities and evolving into a more sophisticated threat. We assume its operators will continue to add more improvements,” they said.
“A lot of ransomware still remain a relatively stable source of income for cybercriminals. Therefore such simple ‘copy-paste’ encryptors as the one that was described here will continue to emerge constantly,” the researchers wrote, regarding the prevalence of ransomware attacks.