BIPI
BIPI

DanaBot: The Modular Trojan That Pivoted to Espionage

Threat Intelligence

DanaBot began as a for-hire banking trojan with a clean plugin architecture and a thriving affiliate ecosystem. By 2023 it was targeting NATO communications, revealing a second mission beneath the financial fraud.

By Arjun Raghavan, Security & Systems Lead, BIPI · September 12, 2024 · 9 min read

#danabot#banking-trojan#espionage#malware#affiliate

DanaBot first appeared in May 2018, identified by ESET researchers in Australian spam campaigns. It arrived with a modular architecture that was unusual for banking trojans of the era: a core loader that communicated with a control panel, combined with downloadable plugins that could be mixed and matched by operators. The design made it easy to run as an affiliate service, and the group behind it wasted little time commercializing it on underground forums.

Plugin Architecture

DanaBot's core implant is responsible only for persistence, communication with the control panel, and plugin management. All functional capabilities are delivered as separate plugins, each a standalone DLL that the core downloads, decrypts, and loads into memory on demand. This architecture provides operational flexibility: an operator running a banking fraud campaign needs different plugins than one conducting reconnaissance for espionage purposes.

  • Stealer plugin: browser credential and cookie extraction, password manager database theft
  • Sniffer plugin: man-in-the-browser webinject for banking session hijacking
  • RDP plugin: remote desktop access over the C2 channel
  • VNC plugin: screen viewing without initiating a full RDP session
  • Proxy plugin: SOCKS5 proxy for tunneling attacker traffic through victim host
  • Spam plugin: Outlook MAPI access for harvesting contacts and sending phishing emails
  • Ransomware plugin: deployed in some campaigns as a monetization fallback

Affiliate Model

DanaBot is sold as a service rather than licensed outright. Each affiliate receives a unique affiliate ID embedded in their builds, allowing the operator to track infections and attribute revenue. The control panel software manages infections globally, with affiliate-specific views showing only the operator's own bots. Pricing has been reported at approximately USD 6,000 for the core bot with access to the standard plugin set.

DanaBot's affiliate ID tracking makes it one of the few malware families where law enforcement can directly map individual criminal groups to specific infection clusters purely from the binary. This has aided attribution in several Eastern European prosecutions.

The Espionage Pivot

In 2023, ESET and Proofpoint independently reported DanaBot infections at organizations participating in NATO-related diplomatic communications, specifically targeting attendees of a Ukraine-related security conference. The lure was a conference agenda document. What made this remarkable was that the DanaBot builds used in these campaigns had their affiliate ID set to a value associated with the core developer group, not any known affiliate. The espionage operation appeared to be running directly by the malware authors, using their own tool as an intelligence collection platform.

2018
DanaBot first observed
40+
Countries with documented DanaBot infections at peak
$6,000
Approximate affiliate access price (forum reports)
7
Core plugins in standard DanaBot distribution

C2 Protocol

DanaBot uses a layered encryption scheme for C2 communication. The initial beacon is sent over TCP to a hardcoded IP list, encrypted with RSA-2048 for key exchange followed by AES-256 for the session. The control panel uses a custom binary protocol, not HTTP, making proxy-level inspection ineffective. The client authenticates to the server using the affiliate ID and victim system fingerprint, allowing the server to serve affiliate-specific configurations and plugin lists.

Detection

  • DanaBot injects into msiexec.exe or svchost.exe; hunt for these processes with outbound TCP to non-Microsoft IPs on high ports
  • Plugin DLLs are stored encrypted in %APPDATA%\[random-GUID]\ directories
  • Browser hooking leaves artifacts in Chrome and Firefox process memory; memory forensics tools can detect the injection
  • Network: non-HTTP TCP sessions from workstations to port 443 or 4444 with binary (non-TLS) framing
  • YARA: DanaBot's RSA public key is unique per build but the surrounding code structure is stable; community rules from ESET's GitHub

Remediation

  1. Isolate any host with confirmed DanaBot execution; assume credentials and browser sessions are compromised
  2. Rotate all browser-saved passwords and cookies from the affected user account
  3. Review email forwarding rules and Outlook send-as permissions set on the affected account
  4. If the host was used for sensitive communications, notify your security team and treat the compromise as potentially espionage-motivated
  5. Cross-check the specific DanaBot affiliate ID found in the binary against threat intelligence feeds to determine operator attribution

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.