Full Report
A high-level overview of domains & IPs.
Analysis Summary
# Threat Actor: DanaBot Operators
## Attribution & Identity
The threat actor utilizing DanaBot is not explicitly attributed to a specific named threat group, but the malware is noted to have been linked to multiple threat actors since its first reports in May 2018. DanaBot itself is a Delphi-based banking Trojan and backdoor.
## Activity Summary
The malware is currently active, as suggested by recent samples analyzed in November 2024. The operation involves ongoing distribution campaigns that leverage phishing techniques, specifically malicious advertisements and social engineering methods such as the "ClickFix" method (tricking users into downloading the malware disguised as a fix for document display issues).
## Tactics, Techniques & Procedures
- **Initial Access:** Phishing techniques, malicious advertisements, and social engineering (ClickFix method).
- **Execution/Impact:** Credential theft.
- **Defense Evasion/Persistence:** Lateral movement using Remote Desktop Protocol (RDP).
- **Exfiltration:** Network traffic manipulation targeting financial data.
- **Tooling:** The malware is written in Delphi.
## Targeting
- **Sectors:** Primarily targets financial institutions.
- **Geography:** Not explicitly stated, but implied targeting aligns with financial sector victims globally.
- **Victims:** Specific organizations are not named in the summary provided.
## Tools & Infrastructure
- **Malware families used:** DanaBot (Banking Trojan/Backdoor).
- **Infrastructure (C2, domains, IPs - defang URLs):**
- **IPs:** 185[.]117[.]90[.]36 (prevalent C2), 23[.]95[.]182[.]47, 193[.]42[.]36[.]59, 193[.]56[.]146[.]53, 185[.]106[.]123[.]228.
- **Domains:** srv51934[.]yourbestnetwork[.]net (associated with an SSL certificate on 185[.]117[.]90[.]36).
- **Delivery URL observed:** https://altraonline[.]com/SKOblik[.]exe.
## Implications
DanaBot remains an active and resilient threat, focused on compromising financial data via credential theft and lateral movement. Its continuous use of social engineering tactics (like ClickFix) suggests an ongoing capability to deceive end-users for initial access. The infrastructure reviewed shows multiple, potentially rotating, C2 points, indicating active maintenance of the botnet.
## Mitigations
- Implement robust security awareness training focused on recognizing phishing, malicious advertisements, and unusual document prompts (social engineering, e.g., ClickFix requests).
- Monitor for and block outbound network traffic associated with the identified C2 IPs and domains.
- Monitor for unauthorized use of Remote Desktop Protocol (RDP) for lateral movement.
- Ensure Endpoint Detection and Response (EDR) solutions are configured to detect suspicious activity related to the known DanaBot hashes and Delphi-based executables.