Convincing Phishing Campaign Targets Australian Businesses and Spreads DanaBot Trojan

A new phishing campaign has been detected that is spreading the DanaBot Trojan. The campaign involves phishing emails which appear to contain invoices from the Australian multinational corporation MYOB – a provider of tax and accounting services for small and medium sized businesses. The phishing campaign was detected by Trustwave researchers.

The phishing emails are succinct and well written and advise the recipient of the invoice amount, the due date for payment, a request to make contact if there are any questions about the invoice, and a link to view the invoice. The emails look professional and could easily pass for a genuine communication.

While the link appears to connect to a website, they actually direct the email recipient to compromised Australian FTP sites where a zip file is downloaded. The zip file contains a JavaScript downloader which, if executed, launches a PowerShell script that downloads the DanaBot Trojan.

Trustwave said in a recent blog post (includes IoCs), “The infrastructure supporting the malware is designed to be flexible while the malware is designed to be modular with functionality spread across multiple components that are heavily encrypted.”

The DanaBot banking Trojan is written in Delphi and is an information stealer, primarily used to steal sensitive information such as online banking credentials. The malware was first identified in May 2018 and has previously been used on other phishing campaigns targeting Australian companies.

The DanaBot Trojan is persistent, modular, and can download further components. The Proofpoint researchers who discovered the malware said it has “robust stealing and remote monitoring capabilities.”

While the emails themselves could easily fool an employee into clicking, the zip file must be extracted and manually run for infection to occur. The zip file is a red flag which should be identified as potentially malicious by a security aware employee. Even if the contents of the zip file are extracted, the unfamiliar JS file format should be identified as potentially malicious and the threat should be reported to security teams.

In order for that to happen employees need to receive training and be conditioned into reporting threats. A one-click reporting tool, such as an email add-on, allows employees to quickly and easily report emails such as this to their security teams, allowing them to take prompt action to neutralize the threat.

Author: NetSec Editor