UPDATE 10/02/2018: DanaBot has been detected targeting banks in additional countries, including the United States, Poland, Italy, Germany, and Austria. In recent campaigns, DanaBot is distributed via malspam that appears to be an eFax notification. The body of the email instructs recipients to open an attachment or click on an embedded URL in order to view a fax. If users open the document and enable the macros, the Hancitor trojan will download and install, which, in turn, delivers DanaBot and additional malware onto the computer.
UPDATE 6/20/2019: A new campaign is proliferating an updated DanaBot variant which adds a “Non Ransomware” ransomware module to its list of capabilities. Potential victims are targeted with phishing emails, delivering malware droppers. The module ensures survivability as it can revive itself using the Schtasks tool, in the event of the ransomware getting “killed.”
Technical Details and Reporting: