Threat Research

DanaBot’s Latest Move: Deploying Latrodectus

Securonix

eSentire’s TRU team analyzes DanaBot’s use of Latrodectus to deploy IcedID, a banking Trojan, in a drive-by download campaign. The operation includes DLL side-loading, a Process Doppelgänging injection, and persistence plus C2 infrastructure features, shedding light on DanaBot/IcedID activity and related indicators. #DanaBot #Latrodectus #IcedID

Keypoints

  • DanaBot is delivering IcedID via Latrodectus, a banking Trojan, observed in a drive-by download campaign.
  • Webex.exe side-loads sqlite3.dll to load the IcedID payload after decryption of rash.docx.
  • IcedID uses Process Doppelgänging to inject into explorer.exe, enabling stealth execution.
  • Persistence is achieved via the Startup folder for webex.exe, and a scheduled task named “Updater” runs on logon.
  • The malware collects system information and enumerates domain trusts as part of recon before C2 communication.
  • IcedID communicates with C2 domains and IPs (e.g., arsimonopa[.]com/live, 178.208.87[.]21), and DanaBot uses its own C2 endpoints.
  • TRU recommendations emphasize trusted application libraries, careful handling of downloaded files, phishing awareness, and endpoint protection against malware.

MITRE Techniques

  • [T1189] Drive-by Compromise – Initial infection occurred via a drive-by download. ‘In our case, it’s DanaBot dropping the following… The initial infection for DanaBot occurred via a drive-by download. The user was likely searching for a Webex installer and visited an imposter website serving the payload.’
  • [T1574.001] DLL Side-Loading – The binary side-loads a malicious DLL (sqlite3.dll) after launching webex.exe. ‘Upon execution of webex.exe, it will side-load the malicious DLL (sqlite3.dll)’
  • [T1055.012] Process Injection: Process Doppelgänging – DanaBot injects into explorer.exe via Process Doppelgänging. ‘inject into explorer.exe via Process Doppelgänging’
  • [T1547.001] Boot or Logon Autostart Execution: Startup Folder – DanaBot creates persistence via the Startup folder for webex.exe. ‘The persistence for DanaBot is created via Startup folder (T1547.001) for webex.exe binary.’
  • [T1053.005] Scheduled Task: Scheduled Task – Persistence via a scheduled task named “Updater”. ‘The persistence is achieved via the scheduled task named “Updater”. The task runs at every log on with the following command: rundll32.exe …’
  • [T1071.001] Web Protocols – C2 communication and data exfiltration over web protocols to C2 domains/IPs (example C2 domains: arsimonopa[.]com/live, lemonimonakio[.]com/live; IP: 178.208.87[.]21). ‘IcedID C2 arsimonopa[.]com/live’ and ‘IcedID VNC C2 178.208.87[.]21’

Indicators of Compromise

  • [File Hash] MD5 – 4be85751a07081de31f52329c2e2ddc8, 34b87976172e911e3e2ed6007252e7dc (and 1 more: 4ca6db064effc1730299a0f20531e49c)
  • [File Name] – Webex.zip, rash.docx (and 1 more: sqlite3.dll)
  • [Domain] – arsimonopa[.]com/live, lemonimonakio[.]com/live
  • [IP Address] – 178.208.87.21, 74.119.193.200

Read more: https://www.esentire.com/blog/danabots-latest-move-deploying-icedid

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint