COVID 19 is an ideal opportunity for malicious actors. With much of the global workforce working from home, we and our partners have seen a dramatic change in the compromise landscape (look for more analysis on that topic in an upcoming blog). The community is also very much aware of attempts to leverage popular websites, such as the Johns Hopkins COVID 19 map to deliver malware to unsuspecting visitors. These visitors likely include many remote workers who are surfing the web for COVID updates, such as this map. Those remote workers are undoubtedly entering passwords to access their companies’ systems on a daily basis, which is where DanaBot comes in.
DanaBot can redirect visits to financial services sites and capture login credentials. However, it has also been known to combine operations with other malware operators. Other modules associated with DanaBot include remote desktop through VNC, information stealing, and keylogging. Therefore, the risk associated with this campaign extends beyond end users to enterprise networks.
Small businesses are particularly vulnerable to such threats, as they lack the security infrastructure and resources to accurately monitor their new remote workers. Those organizations can take advantage of Team Cymru’s small business IP check service, which is available for free during the COVID 19 work-from-home initiative. That tool can be accessed here:
https://reputation.team-cymru.com
Our analysts took a closer look this DanaBot activity, mapped its propagation and extracted IOCs. The following is an excerpt of analysis done on the DanaBot banking Trojan and the exploitation of a legitimate COVID-19 infection map. Analysis included the use of the Augury™ Pure Signal™ platform to map netflow and the associated malicious infrastructure.
NOTE: Organizations identified in this research were notified, as appropriate, prior to the publishing of both the blog and paper. Remediation actions were taken.
Download the full analysis with IOCs now at https://partners.team-
In March of 2020, we were made aware of a campaign making use of a legitimate COVID-19 infection map to lure victims into installing malware. During the infection process, the malware displays a map of worldwide infection and mortality rates (see Figure 1) while covertly installing the DanaBot banking Trojan.
Figure 1 – The Johns Hopkins map displayed by the malware
Attack Chain
The attack chain implemented by these attackers uses Java and JavaScript to stage the attack, as depicted in Figure 2. Each stage is detailed in the sections below. Indicators of compromise for files related to this attack can be found in Appendix A.
Figure 2 – Diagram of attack chain
Netflow Analysis
Netflow to the DanaBot controllers indicates likely victims in Mexico, the United States, India, Australia, New Zealand and the Netherlands.
Download the full analysis with IOCs now at