Danabot Banking Trojan Used in U.S. Campaign

The DanaBot banking Trojan was first detected by security researchers at Proofpoint in May 2018. It was being used in a single campaign targeting customers of Australian Banks. Further campaigns were later detected targeting customers of European banks, and now the attacks have moved across the Atlantic and U.S. banks are being targeted.

Banking Trojans are a major threat. Proofpoint notes that they now account for 60% of all malware sent via email. The DanaBot banking Trojan is being distributed via spam email, with the malicious messages containing an embedded hyperlink to websites hosting a Word document with a malicious macro. If allowed to run it will launch a PowerShell command which downloads DanaBot.

The DanaBot Trojan steals credentials for online bank accounts through a combination of banking site web injections, keylogging, taking screenshots, and capturing form data. The malware is written in Delphi and is modular and is capable of downloading additional components.

Proofpoint notes that the campaigns it has detected use different IDs in their server communications which suggest that multiple individuals are conducting campaigns, most likely through a malware-as-a-service offering. To date, nine different IDs have been identified which suggests nine individuals are conducting campaigns. Each actor targets a specific geographical region apart from in Australia where there are two individuals conducting campaigns.

The latest campaign targeting U.S bank customers is also being conducted via spam email and similarly links to a Word document with a malicious macro. The spam emails intercepted by Proofpoint spoof eFax messages, and are complete with appropriate branding. The emails claim the Word document contains a 3-page fax transmission.

Enabling the macro will result in Hancitor being downloaded, which in turn will download the DanaBot banking Trojan and other information stealing malware. Several U.S banks are being targeted including Wells Fargo, Bank of America, TD Bank, and JP Morgan Chase.

Proofpoint has identified similarities with other malware families suggesting it the work of the group behind CryptXXX and Reveton. “This family began with ransomware, to which stealer functionality was added in Reveton. The evolution continued with CryptXXX ransomware and now with a banking Trojan with Stealer and remote access functionality added in DanaBot.”

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news