Danabot Banking Trojan - A New Threat to Australian Companies

In the last few years, we have seen a concerning rise in frequency of malware and phishing attacks. This year also, we have witnessed many banking Trojans that are returning with impactful hacking features. After several damaging banking Trojans, like Anubis, Kronos, MysteryBot, and Exobot, it's now time for the DanaBot malware that is trying to hack your hard-earned money.

Proofpoint first discovered the DanaBot Malware in May 2018, soon after observing the huge phishing campaign targeting the Australians. Detailed analysis of this malware was also posted by the Trustwave researchers, later on, after noticing the scam. It seems that this phishing campaign is on the rise in Australia for quite some time vis-à-vis the improvisations being made in DanaBot Trojan.

DanaBot seems to be a robust phishing scam that is targeting various businesses, mainly in Australia. It appears that the spam emails are being forwarded by MYOB, which is a software firm in Australia that provides business software to many SMBs. The spam emails appear as invoices from the MYOB. Moreover, as the malicious emails use FTP, they appear more genuine than the ones that come from unknown HTTP addresses. Once the user clicks on the email, he/she reaches a compromised File Transfer Protocol (FTP) server bearing DanaBot malware.

DanaBot Trojan, which is written in Delphi, consists of 3 main components - the DanaBot Master DLL (6AD4B832.dll), the DanaBot Downloader (091A4F71.dll), and the DanaBot Dropper (TempVBH56.exe) - for the recent campaign. As soon as these three component pieces get activated, the cybercriminals will be able to send encrypted data, like victims' machines screenshots, back to the C&C (command-and-control) server from where this can be covertly distributed using the channels like Tor. As a matter of fact, DanaBot provides an overall access of the attacked device to a hacker.

Right now, the malware appears to be restricted only to Australia. However, it is still not known when the DanaBot malware will begin targeting the users in rest of the world. The users, SMBs in particular, should be aware of these phishing attacks and should avoid clicking any emails till they know the senders.

» SPAMfighter News - 8/16/2018