DanaBot
DanaBot is a banking trojan discovered by Proofpoint researchers targeting users in Australia through malicious emails. Still considered under development, the banking trojan was first seen sending out emails with subject lines such as “Your E-Toll account statement”, which contained URLs directing victims to a Microsoft Word Document containing macros that are hosted on another site. If the macros are enabled, a PowerShell command is run that downloads DanaBot. The second wave of DanaBot banking trojan attacks was seen using URLs that redirected users to a zipped JavaScript file that, when executed, would download the trojan onto the machine if the server detected the victims IP address to be from Australia. The malicious payload downloads three DLL files that contain a stealer and sniffer, and also a configuration file that contains a list of targeted sites for the sniffer module, banking web injects, and a list of cryptocurrency processes and files to monitor. When DanaBot is present on the victims system, it uploads files to the C2 server that includes detailed system information, screenshots of the user’s desktop, and a list of files on the user’s hard disk.
UPDATE 10/02/2018: DanaBot has been detected targeting banks in additional countries, including the United States, Poland, Italy, Germany, and Austria. In recent campaigns, DanaBot is distributed via malspam that appears to be an eFax notification. The body of the email instructs recipients to open an attachment or click on an embedded URL in order to view a fax. If users open the document and enable the macros, the Hancitor trojan will download and install, which, in turn, delivers DanaBot and additional malware onto the computer.
UPDATE 6/20/2019: A new campaign is proliferating an updated DanaBot variant which adds a “Non Ransomware” ransomware module to its list of capabilities. Potential victims are targeted with phishing emails, delivering malware droppers. The module ensures survivability as it can revive itself using the Schtasks tool, in the event of the ransomware getting “killed.”
Technical Details and Reporting:
