The modular Danabot banking Trojan has been again upgraded with email harvesting and sending capabilities after previously receiving 64-bit and RDP support following its target switch on to European targets during September 2018.
As reported by ESET's security research team, the new spam-capable Danabot version can propagate itself via spam emails sent as replies to messages found in mailboxes located on compromised machines running webmail services based on Horde, Roundcube, and Open-Xchange.
Given its modular structure and the eagerness of its authors to regularly add new plugins, ESET considers that Danabot has already surpassed the initial scope its masters had in mind when coding it.
ESET's analysis also uncovered the fact that Danabot shares script structure with other malware strains such as BackSwap, Tinba or Zeus, a clear proof of its modularity which allows it to reuse scripts from other malware families quite effortlessly.
Danabot linked to GootKit by downloader module
Additionally, Danabot has been observed while exhibiting dropper behavior, peddling other malware, with a GootKit downloader module being the prime example, hinting at a direct connection between the groups controlling the two malware families.
Although the presence of the banking fraud GootKit Trojan sample on one of DanaBot’s C&C server might seem surprising, ESET also witnessed the Emotet Trojan distributing GootKit during Cyber Monday and Black Friday campaigns.
As mentioned in the beginning, after being upgraded with spam capabilities, Danabot can now harvest email addresses from mailboxes found on compromised machines and send spam messages as replies to propagate itself to other potential targets.
The more-than-Trojan Danabot will achieve this tas by "injecting a malicious script into the targeted webmail services’ webpages once a victim logs in, processing the victim’s emails and sending all email addresses it finds to a C&C server," according to ESET.
The Trojan is also capable of sending signed spam email
Next, Danabot will use another injected script to start sending spam in the background if it finds one of the webmail services it can control, taking advantage of digital signatures to deliver signed emails to make the spam it peddles look legit.
At the moment, Danabot's masters seem interested in Italian “certified electronic mail” services, which leads to the idea that they "are focused on targeting corporate and public administration emails that are the most likely to use this certification service."
A full list of indicators of compromise and webmail services targeted by Danabot's new email-address-harvesting feature is available at the end of ESET's extensive report.