Danabot: Analyzing a fallen empire

As announced by the US Department of Justice – the FBI and US DoD’s Defense Criminal Investigative Service (DCIS) have managed to disrupt the infrastructure of the notorious infostealer, Danabot. ESET is one of the many cybersecurity companies to participate in this long-term endeavor, becoming involved back in 2018. Our contribution included providing technical analyses of the malware and its backend infrastructure, as well as identifying Danabot’s C&C servers. The joint takedown effort also led to the identification of individuals responsible for Danabot development, sales, administration, and more. ESET took part in the effort alongside with Amazon, CrowdStrike, Flashpoint, Google, Intel471, PayPal, Proofpoint, Team Cymru, Zscaler, Germany’s Bundeskriminalamt, the Netherlands’ National Police, and the Australian Federal Police.

These law enforcement operations were conducted under Operation Endgame – an ongoing global initiative aimed at identifying, dismantling, and prosecuting cybercriminal networks. Coordinated by Europol and Eurojust, the operation successfully took down critical infrastructure used to deploy ransomware through malicious software.

Since Danabot has largely been disrupted, we will use this opportunity to share our insights into the workings of this malware-as-a-service (MaaS) operation, covering the features used in the latest versions of the malware, the authors’ business model, and an overview of the toolset offered to affiliates. Apart from exfiltrating sensitive data, we have observed that Danabot is also used to deliver further malware – including ransomware – to an already compromised system.

Key points of the blogpost:

• ESET Research has been tracking Danabot’s activity since 2018 as part of a global effort that resulted in a major disruption of the malware’s infrastructure.
• While primarily developed as an infostealer and banking trojan, Danabot also has been used to distribute additional malware, including ransomware.
• Danabot’s authors promote their toolset through underground forums and offer various rental options to potential affiliates.
• The typical toolset provided by Danabot’s authors to their affiliates includes an administration panel application, a backconnect tool for real-time control of bots, and a proxy server application that relays the communication between the bots and the actual C&C server.
• Affiliates can choose from various options to generate new Danabot builds, and it’s their responsibility to distribute these builds through their own campaigns.

Background

Danabot, which belongs to a group of infostealer and/or banking malware families coded in the Delphi programming language, gained prominence in 2018 by being used in a spam campaign targeting Australian users. Since then, Danabot has expanded to other markets through various campaigns, undergone several major updates of its internals and backend infrastructure, and experienced both peaks and downturns in popularity among cybercriminals.

Throughout our monitoring since 2018, ESET has tracked and analyzed a substantial number of distinct samples and identified more than 1,000 unique C&C servers. During that period, ESET analyzed various Danabot campaigns all over the world, with Poland historically being one of the most targeted countries, as seen in Figure 1.

In addition to typical cybercrime, Danabot has also been used in less conventional activities such as utilizing compromised machines for launching DDoS attacks. For example, a DDoS attack against Ukraine’s Ministry of Defense was spotted by Zscaler soon after the Russian invasion of Ukraine. A very similar DDoS module to the one used in that attack was also used by a Danabot operator to target a Russian site dedicated to Arduino development. These actions were probably motivated by the affiliate’s own ambitions and political motivations.

Danabot group introduction

The authors of Danabot operate as a single group, offering their tool for rent to potential affiliates, who subsequently employ it for their own malicious purposes by establishing and managing their own botnets. The authors have even set up a support page on the Tor network with detailed information about the capabilities of their tool, as depicted in Figure 2.

To acquire new customers, Danabot is frequently promoted in underground forums by the user JimmBee, who acts as one of the main developers and administrators of the Danabot malware and its toolset. Another noteworthy person from the Danabot group is a user known in underground forums as Onix, who coadministers the Danabot infrastructure and is also responsible for sales operations.

Feature overview

Danabot’s authors have developed a vast variety of features to assist customers with their malevolent objectives. The most prominent features offered by Danabot include:

• the ability to steal various data from browsers, mail clients, FTP clients, and other popular software,
• keylogging and screen recording,
• real-time remote control of the victims’ systems,
• a FileGrabber command, commonly used for stealing cryptocurrency wallets,
• support for Zeus-like webinjects and form grabbing, and
• arbitrary payload upload and execution.

Besides utilizing its stealing capabilities, we have observed a variety of payloads being distributed through Danabot over the years, such as:

• SystemBC,
• Rescoms,
• Ursnif,
• Smokeloader,
• Zloader,
• Lumma Stealer,
• RecordBreaker,
• Latrodectus, and
• NetSupportManager remote administration tool.

Furthermore, we have encountered instances of Danabot being used to download ransomware onto already compromised systems. We can name LockBit, Buran, Crisis, and a NonRansomware variant being pushed on several occasions.

Danabot’s ability to download and execute arbitrary payloads is not the only feature used to distribute additional malware. Danabot was also spotted being used as a tool to hand off control of the botnet to a ransomware operator, as reported by Microsoft Threat Intelligence in late 2023.

Distribution methods

Throughout its existence, according to our monitoring, Danabot has been a tool of choice for many cybercriminals and each of them has used different means of distribution. Danabot’s developers even partnered with the authors of several malware cryptors and loaders, and offered special pricing for a distribution bundle to their customers, helping them with the process. Matanbuchus is an example of such a promoted loader.

Over the years, we have seen all sorts of distribution methods being used by Danabot affiliates, including:

• numerous variants of email spam campaigns,
• other malware such as Smokeloader, DarkGate, and Matanbuchus, and
• misuse of Google Ads.

Recently, out of all distribution mechanisms we saw, the misuse of Google Ads to display seemingly relevant, but actually malicious, websites among the sponsored links in Google search results stands out as one of the most prominent methods to lure victims into downloading Danabot. The most popular ploy is packing the malware with legitimate software and offering such a package through bogus software sites (Figure 3) or websites falsely promising users to help them find unclaimed funds (Figure 4).

The latest addition to these social engineering techniques: deceptive websites offering solutions for fabricated computer issues, whose only purpose is to lure the victim into execution of a malicious command secretly inserted into the user’s clipboard. An example of such a website leading to downloading of Danabot in Figure 5.

Infrastructure

Overview

Initially, Danabot’s authors relied on a single centralized server to manage all bots’ connections and all affiliates’ data, such as command configurations and data collected from their victims. This centralized approach certainly had a negative impact on that server’s performance and was more prone to possible disruptions. This is probably one of the reasons why we saw a shift in the business and infrastructure models in newer versions. In addition to renting places on their own infrastructure, Danabot’s authors now offer installation of a private server, as advertised on their support site, to be operated by the affiliate (Figure 6).

The rental options, as offered through an underground forum in July 2023, are illustrated in Figure 7.

It is worth mentioning that, based on our tracking, the rental of an account on the shared infrastructure controlled by Danabot’s authors seems to be the most popular choice for threat actors.

When affiliates purchase a rental of one of the options, they are given tools and credentials to connect to the C&C server and manage their own botnet through an administration panel. In the following sections, we cover the different parts of the typical toolset.

C&C server application

The standalone server application comes in the form of a DLL file and acts as the brain of the botnet. It is installed on a Windows server and uses a MySQL database for data management. Bots connect to this server to transmit stolen data and receive commands issued by affiliates. Affiliates connect to this server via the administration panel application to manage their botnet. This C&C server application is available for local installation only for affiliates paying for the higher tier personal server option. Affiliates who choose to operate their botnets on Danabot’s infrastructure instead are given connection details to the C&C server already set up there, and do not need to host their own C&C server.

Administration panel

The administration panel, displayed in Figure 8, is in the form of a GUI application, and represents the most important tool from the botnet operator’s perspective. It allows the affiliate to connect to the C&C server and perform tasks such as:

• manage bots and retrieve statistics of the botnet,
• issue various commands and advanced configuration for bots,
• conveniently view and export data gathered from victims,
• manage the notification system and set up alerts on events triggered by bots,
• generate new Danabot builds, and
• set up a chain of proxy servers for communication between the bots and the C&C server.

We provide more details and examples of the most interesting capabilities of the administration panel in the upcoming sections.

Backconnect tool

Another important tool for administration is the standalone utility that enables botnet operators to remotely connect to and control their online bots. Available actions for remote control, as seen in the tool, are illustrated in Figure 9. Probably the most interesting features for cybercriminals are the ability to see and control the victim’s computer via a remote desktop connection and to perform reconnaissance of the file system using the built-in file manager.

Proxy server application

Bots typically do not connect to the main C&C server directly, but rather use a chain of proxies to relay the traffic and hide the location of the real backend C&C. To facilitate this strategy, Danabot’s authors provide a proxy server application, available for both Windows and Linux systems. Figure 10 shows the usage message from the Linux version of this simple proxy server application. Besides using proxies, bots can be configured to communicate with the server through the Tor network in case all proxy chains become unavailable. An optional downloadable Tor module is then used for such communication.

Affiliates also frequently utilize this proxy server application as an intermediary between their administration panel and the C&C server to further enhance their anonymity. When everything is put together, the typical infrastructure may look as shown in Figure 11.

Internals

Communication

Danabot employs its own proprietary C&C communication protocol with its data encrypted using AES-256. Generated AES session keys, unique for every message, are then further encrypted using RSA key pairs, securing the whole communication. It’s worth mentioning that there have been several updates to the communication protocol and the packet structure over time.

The current packet data structure of the typical command, before it is encrypted, looks as shown in Table 1 . We would like to point out that most of the fields are only used during the first request in the communication loop to authenticate the bot, and are left unset in the subsequent commands.

Table 1. Packet structure used in Danabot communication

The newest versions of Danabot also add, to further disguise its communication, a random amount of seemingly junk bytes to the end of the packet structure before it is encrypted. It’s worth mentioning that Danabot authors do not always follow the best coding practices and the addition of this random number of bytes was done by resizing of the original memory buffer allocated to hold the packet structure instead of clearing or initializing this newly acquired space. This led to unintentionally including surrounding memory regions of the process into the data packet being sent from the bot to the server and, more importantly, vice versa. These appended memory regions captured and decrypted from the server-to-bot communication sometimes contained interesting information from the server’s process memory and gave researchers valuable insight into Danabot’s infrastructure and its users. This bug was introduced in 2022 and was fixed in the latest versions of Danabot in February 2025.

Further details about the communication and its encryption were already covered by various researchers, and we won’t dive into it more in this blogpost.

Builds

Botnet operators have multiple options for generating new Danabot builds to distribute to their victims. To the best of our knowledge, while the operator may configure the build process and desired output through the administration panel application, the build process itself is performed on the Danabot authors’ servers. After generating the selected build, the operator receives download links for the builds and becomes responsible for their distribution in a campaign.

Figure 12 shows an example of a build configuration window and available options, such as the C&C server list to be configured in the final binary file, various obfuscation methods, build bitness, etc.

Danabot currently offers four basic payload types, described in Table 2.

Table 2. Variants of available builds

Payload type	Description
Main.dll	Generates a sole main component in the form of a DLL to be distributed and loaded via rundll32.exe or regsvr32.exe.
Main.exe	Generates a loader in the form of an EXE that may contain the abovementioned main component DLL or download it from one of the configured C&C servers.
Drop.exe	Generates a dropper with an embedded main component DLL to be dropped to disk.
Drop.msi	Generates an MSI package with an embedded main component DLL to be loaded.

Commands configuration

A botnet operator can issue an advanced configuration to the bots through the administration panel. Bots are then ordered to perform various commands according to the instructions received. Figure 13 shows an example of such a command configuration.

Table 3 lists the available commands that can be issued. Each task has its own specific options to further accommodate the operator’s needs.

Table 3. Available commands

Command	Description
Video	Record a video of the selected application or website.
KeyLogger	Capture keystrokes from the selected application.
PostFilter	Grab information from certain websites’ forms.
WebInject	Allow Zeus-like webinjects on certain loaded websites to alter their function.
Redirect	Allow redirection of certain URLs.
Block	Block access to configured URLs.
Screens	Take screenshots of a selected application or website at certain intervals.
Alerts	Allow notifications to be sent to a selected Jabber account on a configurable event.
Uninstall	Uninstall the bot from the system.
UAC	Provide support for privilege escalation.
FileGrabber	Allow certain files to be uploaded to the C&C if found on the victim’s hard disk.
TorActive	Enable loading of a Tor module and allow connection via the Tor network if all C&C servers are inaccessible.
Stealer	Enable/disable the stealer functionality and set its update interval.
TimeOut	Set interval for the bot to contact its C&C server.
Install	Configure the bot’s installation on the system and its persistence.
Exclusion	Set exclusions in Windows Defender or Windows Firewall for a selected process.
ConfigSave	Save the bot’s configuration before its termination.
HideProcess	Hide the bot’s process.
CoreProtect	Allow the main component to be injected into an additional process.

Additional payloads

Danabot also provides the capability to download and execute further executable files. This feature allows the botnet operator to configure the installation of additional malware to the compromised system, as mentioned earlier. Figure 14 shows available options for this feature in the administration panel application.

Conclusion

Danabot is a large-scale MaaS operation distributing a wide array of tools for the malware affiliates’ disposal. Our investigation of this infostealer, which started in 2018, resulted in the analysis of Danabot’s toolset provided in this blogpost. The efforts of the authorities and several cybersecurity companies, ESET included, led to the disruption of the malware’s infrastructure. It remains to be seen whether Danabot can recover from the takedown. The blow will, however, surely be felt, since law enforcement managed to unmask several individuals involved in the malware’s operations.

For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com. 

ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page.

IoCs

Files

Network

MITRE ATT&CK techniques

This table was built using version 17 of the MITRE ATT&CK framework.