DanaBot Banking Trojan targeting Europe with its new features

DanaBot malware, first founded in Australia and later Poland, then distributed to other countries, some of them are Italy, Germany, Austria. Now it is emerging in Ukraine (in Europe) as in the month of September 2018. This trojan was first analyzed by Proofpoint earlier in this year after being founded in continuous malicious email campaigns targeting clients in Australia.


Introduction: What is DanaBot?

DanaBot is a modular banking Trojan. This Trojan malware is written in Delphi, and it has a multi-stage and multi-component architecture, having most of its functionality based on plug-ins. In the month of May 2018, the malware was said to have been under active development. Attackers are adding new features to this malware at that time.

New campaigns: DanaBot

Two weeks after the campaign started in Australia, this trojan was observed in Poland in another campaign.
According to ESET research, this campaign is still active and it is the largest campaign to date.

Under this malware, emails are being sent posing as invoices from various companies. This campaign uses a combination of PowerShell and VBS scripts widely known as Brushaloader.

After the campaign in August, the DanaBot developers added TOR plug-in to update C&C server list and used to create a covert communication channel. In the new September campaign, the threat actors behind DanaBot VNC plug-in that enables Remote Desktop Protocol connections to the victim’s machine.

“Researchers said starting September smaller campaigns targeting banks in Italy, Germany, and Austria, on September 8, 2018, ESET discovered a new DanaBot campaign targeting Ukrainian users. According to the telemetry data, Danabot detection ratio spiked between the month of August and September.”


Plug-in Modifications

The plug-ins founded in the Poland campaign are:

  • VNC plug-in – establishes a connection to a victim’s computer and remotely controls it
  • Sniffer plug-in – injects malicious scripts into a victim’s browser, usually while visiting internet banking sites
  • Stealer plug-in – harvests passwords from a wide variety of applications (browsers, FTP clients, VPN clients, chat and email programs, poker programs etc.)
  • TOR plug-in – installs a TOR proxy and enables access to .onion websites

ESET published a detailed list of Targeted domains, Targeted software, Targeted cryptocurrency wallets, configuration script, IoCs, hashes and plugins used on their website, to check detail about these, click here.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our Google+ Pages.

Leave a Reply

Your email address will not be published. Required fields are marked *