Rewterz Threat Alert – DanaBot Trojan – Active IOCs

Severity

High

Analysis Summary

DanaBot is a persistent and ever-evolving threat that has been circulating in the wild since 2018. DanaBot was originally marketed as a Malware-as-a-Service (MaaS) offering primarily targeted banking fraud and data theft. It has, however, getting more advanced and intricate as time has progressed. DanaBot is a high-risk trojan-type malware that infiltrates the system and collects a variety of sensitive data. DanaBot is spread by developers through spam email campaigns. Users get unsolicited emails with false content encouraging them to open MS Office documents attached. When these attachments are accessed, DanaBot is secretly downloaded and installed.

Infected email attachments, malicious online advertisements, social engineering, and software cracks are the distribution methods of this Trojan.

Impact

• Password & identity theft
• Data Exfiltration
• Information Theft

Indicators of Compromise

MD5

• e19fc2c2485093be5db8883bd76c5b1b
• b1d4dc3e5c3ead845633192b2ead54b8
• 73348daba269cf2fab1b11edf6691e34
• 134ba0a636c16478f5af66d7b00882eb

SHA-256

• a835d0a363da3392795acfd5a23004c04e9014b5eea42bb65c1564803514e62c
• 222243b9e36aedde4fed2b6a8a5decec275855d21217dc05069b20bfff504973
• 323e603adf8bc36267e2a67844ede41626a05025d1199b6e4776924ee51ca011
• 1de272d1038a4da0e2d177520ae647d33a44333e95be0033f7935c2f545d90dc

SHA-1

• 08108bc08bc7c367784a9690c88fe604c8bddd99
• d218d3b60d05815276b0710936ccb6cfbe5e8988
• 8a17b4885b4b57339b196bcdb0ed907156771cc3
• abb04b8b4ff9fb80bab48a9a91add7d51bdaf9bd

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
• Emails from unknown senders should always be treated with caution.
• Never trust or open ” links and attachments received from unknown sources/senders.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets