DanaBot Banking Trojan Targeting US Banks

Threat actors are deploying the DanaBot trojan to target banks across the world. These campaigns initially only targeted banks in Australia and Europe, but have recently expanded to the United States as well as Poland, Italy, Germany, and Austria. DanaBot attempts to steal account credentials and information contained on online banking sites. Recent North American campaigns, detected by Proofpoint, are being distributed via malicious emails that appear to come from eFax. The body of the email states that the recipient must download a Word document in order to view a fax. If users open the document and enable the macros, the Hancitor trojan will download and install, which, in turn, delivers DanaBot and additional malware onto the computer. So far, Proofpoint has identified at least nine different threat actors distributing DanaBot. The NJCCIC recommends reviewing the Proofpoint report on DanaBot, educating end users about this and similar threats, and reminding them never to click on links delivered in unexpected or unsolicited emails. Users who receive unexpected email requests from known senders inviting them to click on a link or open an attachment should always verify the sender via another means of communication before taking any action. If any end users have acted on emails from this campaign, isolate the affected system from the network immediately and perform a full system scan using a reputable anti-virus/anti-malware solution.