DanBot

Malware updated 23 days ago (2024-11-29T14:11:51.897Z)
Download STIX
Preview STIX
DanBot is a malicious software (malware) written in C# using .NET Framework 2.0 that provides basic remote access capabilities. It was identified as part of the arsenal used by the cyber threat group, OilRig, and has been linked to other backdoors such as Solar, Shark, Milan, and Marlin. The malware is designed to infiltrate systems through suspicious downloads, emails, or websites, often without user knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. In 2021, OilRig updated its DanBot backdoor and began deploying additional backdoors like Shark, Milan, and Marlin as per the ESET Threat Report T3 2021. The DanBot variant operated by LYCEUM, another cyber threat group, hosted multiple command and control (C2) domains, indicating its widespread use in cyber espionage. Some of the Milan backdoors analyzed also included samples that were clustered as DanBot backdoors, further confirming its broad deployment in cyber attacks. The DanBot malware shares several similarities with other backdoors used in cyber operations, particularly in terms of upload and download schemes for communicating with the C&C server. Both Solar and Shark backdoors, for instance, use URIs with simple upload ("u") and download ("d") schemes. Additionally, the downloader SC5k uses uploads and downloads subdirectories akin to other OilRig backdoors like ALMA, Shark, DanBot, and Milan. This overlap in tools and targeting highlights the interconnected nature of these cyber threats and their shared methodologies.
Description last updated: 2024-05-04T17:21:46.316Z
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Milan is a possible alias for DanBot. Milan is a malicious software, or malware, that has been linked to the OilRig cyber-espionage group. The malware was updated and deployed alongside other backdoors such as Shark, DanBot, and Marlin in 2021. Milan shares similar communication schemes with other OilRig backdoors, notably using URIs wi
2
Shark is a possible alias for DanBot. Shark is a malicious software (malware) deployed by the cyber threat group known as OilRig. In 2021, OilRig updated its DanBot backdoor and began deploying multiple new backdoors including Shark, Milan, and Marlin, as reported in the T3 2021 issue of the ESET Threat Report. This malware can infiltra
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Marlin Malware is associated with DanBot. Marlin is a type of malware, or malicious software, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Marlin can steal personal information, disrupt operations, or even hold dataUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The OilRig Threat Actor is associated with DanBot. OilRig, also known as APT34, Earth Simnavaz, Evasive Serpens, and other names, is a well-known threat actor in the cybersecurity industry. This group has been particularly active in targeting entities in the Middle East, including critical infrastructure and telecommunications organizations. One of Unspecified
2
Source Document References
Information about the DanBot Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more