A dangerous strain of malware has resurfaced using a distribution method that tricks users into downloading malware disguised as VPNs, antivirus programs, or online games. The malware, DanaBot, was frequently used by threat actors between May 2018 and June 2020, before apparently going on hiatus. DanaBot is now distributed via websites offering pirated or cracked versions of various software solutions. Trojan horse malware is capable of stealing a person's online banking credentials.
Questionable downloads
“For almost two years, DanaBot has been one of the top banking malware used in the criminal software threat landscape,” Proofpoint researchers explained. “Many threat actors were distributing it and using it to target financial services in many countries. In mid-2020, DanaBot activity dropped. Some affiliates that used it continued their campaigns using other banking malware (eg Ursnif and Zloader). It's unclear if COVID-19, competition from other banking malware, redevelopment time, or something else caused the crash, but it looks like DanaBot is back and trying to regain a foothold in the threat landscape. DanaBot malware works by hiding two stealing components in the software key of hacked tools. The first software key is used to collect the victim's browser details, system information, and cryptocurrency wallets, while the second is used to install a cryptocurrency miner. DanaBot usage is likely to increase now that malware has returned to the threat landscape. In particular, the cryptocurrency mining feature included in the latest DanaBot variant may indicate that future attacks could focus more on the cryptocurrency space. With the return of DanaBot, people should be even more careful about only downloading software from trusted sources. It is not uncommon for malware to secretly associate with hacked hardware.