ESET researchers have discovered new versions of the DanaBot Trojan, updated with a more complicated protocol for C&C communication and slight modifications to architecture and campaign IDs
The fast-evolving, modular Trojan DanaBot has undergone further changes, with the latest version featuring an entirely new communication protocol. The protocol, introduced to DanaBot at the end of January 2019, adds several layers of encryption to DanaBot’s C&C communication.
Besides the changes in communication, DanaBot’s architecture and campaign IDs have also been modified.
The evolution of DanaBot
After being discovered in May 2018 as part of Australia-targeted spam campaigns, DanaBot has had an eventful time since, appearing in malspam campaigns in Poland, Italy, Germany, Austria and Ukraine, as well as in the United States. The European campaigns have seen the Trojan expanding its capabilities with new plugins and spam-sending features.
In ESET telemetry on January 25, 2019, we noticed unusual DanaBot-related executables. Upon further inspection, these binaries were, indeed, revealed to be DanaBot variants, but using a different communication protocol to communicate with the C&C server. Starting January 26, 2019, DanaBot operators stopped building binaries with the old protocol.
At the time of writing, the new version is being distributed under two scenarios:
1) As “updates” delivered to existing DanaBot victims
2) Via malspam in Poland
The new communication protocol
In the communication protocol used before January 25, packets were not encrypted in any way, as seen in Figure 1.
Following the latest changes, DanaBot uses the AES and RSA encryption algorithms in its C&C communication. The new communication protocol is complicated, with several encryption layers being used, as seen in Figure 2.
These changes break existing network-based signatures and make it more difficult to write new rules for Intrusion Detection and Prevention Systems. Also, without access to the corresponding RSA keys, it is impossible to decode sent or received packets; thus PCAP files from cloud-based analysis systems (such as ANY.RUN) become unusable for researchers.
Each packet sent by the client has a 24 (0x18)-byte header:
Offset
Size (bytes)
Meaning
0x0
0x8
Size of the data after this header
0x8
0x8
Random value
0x10
0x8
Sum of first two fields
For each packet, the header is followed by AES-encrypted packet data, then a 4-byte value indicating AES padding size, and finally the RSA-encrypted AES key. Each packet is encrypted with a different AES key.
Server responses use the same format. Unlike in previous versions, packet data in server responses does not follow any specific layout (with some exceptions).
Packet data layout
Former packet data layout was detailed by Proofpoint in October 2018. In the latest version of DanaBot, the layout is slightly modified, as seen in Figure 4.
For 30 years, has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from the endpoint and mobile security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real-time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET becomes the first IT security company to earn awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information visit or follow us on , , and.