DanBot

Malware updated 5 months ago (2024-05-04T17:40:13.968Z)

Download STIX

Preview STIX

DanBot is a malicious software (malware) written in C# using .NET Framework 2.0 that provides basic remote access capabilities. It was identified as part of the arsenal used by the cyber threat group, OilRig, and has been linked to other backdoors such as Solar, Shark, Milan, and Marlin. The malware is designed to infiltrate systems through suspicious downloads, emails, or websites, often without user knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. In 2021, OilRig updated its DanBot backdoor and began deploying additional backdoors like Shark, Milan, and Marlin as per the ESET Threat Report T3 2021. The DanBot variant operated by LYCEUM, another cyber threat group, hosted multiple command and control (C2) domains, indicating its widespread use in cyber espionage. Some of the Milan backdoors analyzed also included samples that were clustered as DanBot backdoors, further confirming its broad deployment in cyber attacks. The DanBot malware shares several similarities with other backdoors used in cyber operations, particularly in terms of upload and download schemes for communicating with the C&C server. Both Solar and Shark backdoors, for instance, use URIs with simple upload ("u") and download ("d") schemes. Additionally, the downloader SC5k uses uploads and downloads subdirectories akin to other OilRig backdoors like ALMA, Shark, DanBot, and Milan. This overlap in tools and targeting highlights the interconnected nature of these cyber threats and their shared methodologies.

Description last updated: 2024-05-04T17:21:46.316Z

What's your take? (Question 1 of 4)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Milan is a possible alias for DanBot. Milan is a malicious software, or malware, that was notably deployed by the cyber group OilRig in 2021. The group updated its DanBot backdoor and began deploying multiple backdoors including Shark, Milan, and Marlin. These backdoors were mentioned in the T3 2021 issue of the ESET Threat Report. Simi	2
Shark is a possible alias for DanBot. Shark is a malicious software (malware) deployed by the cyber threat group known as OilRig. In 2021, OilRig updated its DanBot backdoor and began deploying multiple new backdoors including Shark, Milan, and Marlin, as reported in the T3 2021 issue of the ESET Threat Report. This malware can infiltra	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Marlin Malware is associated with DanBot. Marlin is a type of malware, or malicious software, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Marlin can steal personal information, disrupt operations, or even hold data	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The OilRig Threat Actor is associated with DanBot. OilRig, also known as APT34, Helix Kitten, Cobalt Gypsym, Lyceum, Crambus, or Siamesekitten, is a notorious threat actor linked to numerous malicious activities. The group has been associated with various well-known campaigns such as DarkHydrus, xHunt, SUNBURST, and Decoy Dog, all of which leveraged	Unspecified	2

Source Document References

Information about the DanBot Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
ESET	10 months ago	OilRig’s persistent attacks using cloud service-powered downloaders
CERT-EU	a year ago	OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes
MITRE	2 years ago	Who are Latest Targets of Cyber Group Lyceum \| Accenture
MITRE	2 years ago	Cyber Threat Group LYCEUM Takes Center Stage in Middle East Campaign