DanBot

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

DanBot is a malicious software (malware) written in C# using .NET Framework 2.0 that provides basic remote access capabilities. It was identified as part of the arsenal used by the cyber threat group, OilRig, and has been linked to other backdoors such as Solar, Shark, Milan, and Marlin. The malware is designed to infiltrate systems through suspicious downloads, emails, or websites, often without user knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. In 2021, OilRig updated its DanBot backdoor and began deploying additional backdoors like Shark, Milan, and Marlin as per the ESET Threat Report T3 2021. The DanBot variant operated by LYCEUM, another cyber threat group, hosted multiple command and control (C2) domains, indicating its widespread use in cyber espionage. Some of the Milan backdoors analyzed also included samples that were clustered as DanBot backdoors, further confirming its broad deployment in cyber attacks. The DanBot malware shares several similarities with other backdoors used in cyber operations, particularly in terms of upload and download schemes for communicating with the C&C server. Both Solar and Shark backdoors, for instance, use URIs with simple upload ("u") and download ("d") schemes. Additionally, the downloader SC5k uses uploads and downloads subdirectories akin to other OilRig backdoors like ALMA, Shark, DanBot, and Milan. This overlap in tools and targeting highlights the interconnected nature of these cyber threats and their shared methodologies.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Milan	2	Milan is a malicious software, or malware, that was notably deployed by the cyber group OilRig in 2021. The group updated its DanBot backdoor and began deploying multiple backdoors including Shark, Milan, and Marlin. These backdoors were mentioned in the T3 2021 issue of the ESET Threat Report. Simi
Shark	2	Shark is a type of malware, or malicious software, that was deployed by the cyber group OilRig. In 2021, OilRig updated its DanBot backdoor and began deploying the Shark, Milan, and Marlin backdoors, as highlighted in the T3 2021 issue of the ESET Threat Report. This harmful program can infiltrate s
adobereport.exe	1	None

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Trojan

Malware

Payload

Downloader

Spearphishing

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Marlin	Unspecified	2	Marlin is a type of malware, or malicious software, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Marlin can steal personal information, disrupt operations, or even hold data
Sc5k	Unspecified	1	SC5k is a malware developed by OilRig, first discovered in November 2021 during the group's Outer Space campaign. This malicious software acts as a vehicle to deploy a downloader called SampleCheck5000 (SC5k), which utilizes the Office Exchange Web Services (EWS) API to download additional tools for

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
OilRig	Unspecified	2	OilRig is a well-known threat actor in the cybersecurity landscape, notorious for its sophisticated attacks on various targets, including Middle Eastern telecommunications organizations and Israel's critical infrastructure sector. This entity has been linked to several high-profile campaigns such as
Lyceum	Unspecified	1	Lyceum, also known as DEV-0133 and potentially linked to the OilRig group (aka APT34, Helix Kitten, Cobalt Gypsym, Crambus, or Siamesekitten), is a threat actor believed to be a Farsi-speaking entity active since 2018. It is suspected to be a subordinate element within Iran's Ministry of Intelligenc

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the DanBot Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
ESET	7 months ago	OilRig’s persistent attacks using cloud service-powered downloaders
CERT-EU	10 months ago	OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes
MITRE	a year ago	Who are Latest Targets of Cyber Group Lyceum \| Accenture
MITRE	a year ago	Cyber Threat Group LYCEUM Takes Center Stage in Middle East Campaign