Quote:The modular Danabot banking Trojan has been again upgraded with email harvesting and sending capabilities after previously receiving 64-bit and RDP support following its target switch on to European targets during September 2018.

As reported by ESET's security research team, the new spam-capable Danabot version can propagate itself via spam emails sent as replies to messages found in mailboxes located on compromised machines running webmail services based on Horde, Roundcube, and Open-Xchange.

Given its modular structure and the eagerness of its authors to regularly add new plugins, ESET considers that Danabot has already surpassed the initial scope its masters had in mind when coding it.

ESET's analysis also uncovered the fact that Danabot shares script structure with other malware strains such as BackSwap, Tinba or Zeus, a clear proof of its modularity which allows it to reuse scripts from other malware families quite effortlessly.

Additionally, Danabot has been observed while exhibiting dropper behavior, peddling other malware, with a GootKit downloader module being the prime example, hinting at a direct connection between the groups controlling the two malware families.