Review of a Danabot Infection
Proofpoint first identified DanaBot in May of 2018. Armed with basic Trojan and info stealing functionality, DanaBot works to gather sensitive banking information from unsuspecting users for fraud and other criminal activity. Since its inception, the Trojan has worked on adding affiliates, increasing its geotargeting, and expanding its functionality through modularity. In this blog, I’m going to review DanaBot’s web injects/targeting scheme, along with its communication protocol/command and control infrastructure. Geo-Targeting While DanaBot primarily targeted Australia in its early 2018 campaigns, it has continually expanded its targeting since then to include various new regions. Each geographical region is associated with a campaign ID within the bot, which ensures that the respective web injects/targets for the desired region are delivered post-infection. DanaBot has continued to...Introducing the H3 Collective PE Cert Mutator Tool
The H3 Collective is releasing an alpha version of a PE cert fuzzing tool. We use this internally (among other tools) to test some of our software products and wanted to let others leverage it for their use. Rolling out your own ASN.1 parsing and certificate validation tools can be tricky at best, potentially introducing very serious security bugs if they have not been thoroughly tested. Sometimes leveraging an existing fuzzing framework isn’t possible because of how the software is built or what platform it runs on. This tool takes an existing binary and mutates components related to the authenticode signature. Currently it can mutate the security data directory, the WIN_CERTIFICATE struct inside of the attribute certificate table, and bCertificate field. You can use it to swap in the signature from another signed binary before mutations are made, in case you have a valid binary from which you’d like to leverage the signature…