DanBot

DanBot is a second-stage payload that has been used in multiple attacks against various companies in the Middle Eastern region. The malware is believed to be the Lyceum APT product, and it has been used since April 2018 actively. The threat has the features of a Remote Access Trojan (RAT,) but its operators are focused on collecting credentials and files from the compromised systems. Furthermore, the DanBot RAT may sometimes be used to deploy corrupted PowerShell scripts that add further functionality.

The Lyceum APT targets companies and organizations that are part of the telecommunications, oil, or gas industries. Usually, DanBot's attack is preceded by the deployment of DanDrop, Lyceum's signature Trojan dropper.

DanDrop Supports DNS Communication with the Control Server

One of DanBot's key features is its ability to rely on two communication protocols. Apart from using the traditional HTTP transfer, it also has the ability to use DNS traffic to communicate with the control server. Using the DNS protocol for communication purposes is not that uncommon in the world of malware since it allows the payload to bypass traditional firewall security. However, it also limits the type and size of data that can be transferred.

DanBot's primary functions are:

• Switch between HTTP and DNS communication mode.
• Collect hardware and software information.
• Manage files.
• Upload/download files.
• Execute VBS files.
• Execute remote commands.

The DanBot RAT is not among the most advanced malware pieces to be active in the Middle East, but it has managed to stay under the radar for a surprisingly long time. The same happens with the campaigns of the Lyceum APT – the group's activities might have been undetected for over a year. Despite all the tricks and obfuscation techniques that these threat actors use, a reputable anti-malware service should be enough to defend systems and networks from intrusive hacker attacks.