Account Takeover Fraud , Fraud Management & Cybercrime , Fraud Risk Management

Pirated Software Sites Deliver Fresh DanaBot Malware

Banking Trojan Hidden in Pirated Software Keys
Pirated Software Sites Deliver Fresh DanaBot Malware
A cracked software site that hides the latest version of the DanaBot Trojan (Source: Proofpoint)

Websites advertising pirated and cracked software are being used to deliver an updated version of the DanaBot banking Trojan, which can steal individuals' online banking credentials, according to security firm Proofpoint.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

DanaBot, a malware-as-a-service offering, was first spotted by Proofpoint researchers in 2018. Cybercriminal groups have used the most recent version of the banking Trojan, which became available in October 2020, to target customers of financial institutions in the U.S., Canada, Germany, the U.K., Australia, Italy, Poland, Mexico and Ukraine, Proofpoint says.

"DanaBot was one of the most prominent banking malware variants for two years," says Sherrod DeGrippo, senior director of threat research and detection at Proofpoint. "While DanaBot is newly returned with a few updates, we anticipate it will be featured in phishing campaigns in the next few months, and DanaBot's affiliate numbers will increase as well."

Attack Tactics

A Proofpoint report released Tuesday notes the latest version of DanaBot is spread through websites that offer pirated software keys as a free download.

When victims download and execute a software key, two stealer components are loaded onto the compromised device. The first stealer is capable of collecting browser details, system information and cryptocurrency wallets. The second stealer is used to install a cryptocurrency miner as well as the main DanaBot payload, which can steal banking credentials, Proofpoint notes.

"We caution users to avoid downloading pirated software, as those files might be hiding an array of malware, including DanaBot banking Trojans, which quietly steal online banking credentials,” DeGrippo says.

Affiliate Model

The DanaBot operators run a global command-and-control server and its infrastructure and then sell access to cybercriminal affiliates, Proofpoint says. Two affiliates of the malware-as-a-service operation have already adopted the latest version, the company says. Dozens use earlier versions.

The latest DanaBot version includes advanced anti-analysis capabilities and maintains persistence on compromised devices by adding Microsoft LNK shortcut files, according to the research report.

The malware also has the capability to target cryptowallets. This new capability “might also signal that the threat actor is preparing for future campaigns aimed at stealing wallets or logins for popular cryptocurrency sites, similar to their approach when targeting traditional banking credentials," DeGrippo says.

Targeting Cryptowallets

Over the last several months, researchers have been tracking several fresh malware variants targeting cryptocurrency wallets.

For example, earlier this month, Intezer Labs researchers uncovered a remote access Trojan, dubbed ElectroRAT, that had been stealing cryptocurrency from digital wallets over the past year (see: ElectroRAT Malware Targets Cryptocurrency Wallets).

In another recent report, security firm Group-IB found Raccoon - malware that has been known to target cryptocurrency wallets - is also being deployed by criminal gangs to target e-commerce sites and steal payment card details (see: Payment Card Skimming Group Deployed Raccoon Infostealer).

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.