Proofpoint: DanaBot is back vith a new Malware-as-a-Service (MaaS) version. It’s written in Delphi and has some anti-analysis features

DanaBot has a new Malware-as-a-Service (MaaS) version in the wild. It has been discovered by Proofpoint cybersecurity experts. As the previous version, it is a large, multithreaded, modular malware written in Delphi. A loader component (EXE) decrypts, decompresses, and executes a secondary component (DLL). This one removes the loader and reruns itself using a specially crafted export name. It exploits some anti-analysis features:

• Some strings are constructed one character at a time;
• Some Windows API functions are resolved at run-time;
• When a malware-related file is read or written to the filesystem, it is done in the middle of benign decoy file reads or writes.

Persistence is maintained by creating an LNK file that executes the main component in the user’s Startup directory. Furthermore, at least one of the cybercrime malicious code distribution methods is linked to various software warez and cracks web sites.