Threat Research

Decoding a DanaBot Downloader

Securonix

DanaBot is delivered via a VBS-based downloader that uses a distinctive obfuscation scheme and is associated with a social-engineering lure built around unclaimed property. The article also covers three methods to decode the VBS, noting DanaBot’s ties to the SCULLY SPIDER group and related activity. #DanaBot #SCULLY_SPIDER #moneyunclaimed #unclaimed2 #unclaimedhq #DDoS #Ukraine

Keypoints

  • The DanaBot malware is a banker/infostealer operated in a MaaS model by a group tracked as “SCULLY SPIDER.”
  • The downloader is delivered via a VBS file hosted on a fake “unclaimed property” site (moneyunclaimed.net) that requires user interaction to proceed.
  • The landing page uses trust cues (mentioning brands like McAfee and GoDaddy) and an interactive captcha to appear legitimate.
  • The VBS obfuscation uses a long encoded string with two loops; the final URL to the payload is in clear text while the execution is hidden.
  • Three decoding approaches are presented: using a VBS debugger (VbsEdit), modifying the VBS to print output, and building a Python decoder.

    • <liI/Os include domains and a hash associated with the campaign (e.g., moneyunclaimed.net, unclaimed2.com, unclaimedhq.com, z3.goldfishcloud.top, and a 64-character hash).

MITRE Techniques

  • [T1059.005] VBScript – Execution via VBScript; The VBS file contains an embedded URL that is not obfuscated, but the actual execution mechanism is encoded in a very long string. (‘The VBS file contains an embedded URL that is not obfuscated, but the actual execution mechanism is encoded in a very long string.’)
  • [T1189] Drive-by Compromise – Social engineering pretext used to lure victims on an interactive web page requiring user interaction to fetch the first stage payload. (‘The social engineering pretext used in this campaign was interesting as it leveraged an “unclaimed property” themed lure and required user interaction to deliver the first stage payload.’)
  • [T1027] Obfuscated/Compressed Files and Information – The primary obfuscation technique is based on string operations; the execution is encoded in a long string. (‘The primary obfuscation technique utilized in this script is a string operations.’)
  • [T1105] Ingress Tool Transfer – The final DanaBot payload is hosted at a URL that is in clear text. (‘The URL that hosts the final DanaBot payload is in clear text, but the function containing the execution is encoded in a very long string.’)
  • [T1218.011] Signed Binary Proxy Execution: Rundll32 – The payload is executed via rundll32 after initial stages are prepared. (‘rundll32 to execute that payload.’)

Indicators of Compromise

  • [Domain] moneyunclaimed.net – used as a landing page for the downloader
  • [Domain] unclaimed2.com – related landing page domain
  • [Domain] unclaimedhq.com – related landing page domain
  • [Domain] z3.goldfishcloud.top – additional domain seen in IOC list
  • [Hash] 2186495019ee3d4838df3482eaa3c6b37f08d68b8ef0675342cb761ccf04c4fc – sample hash for the DanaBot-related sample

Read more: https://security-soup.net/decoding-a-danabot-downloader/