Privacy Spyware

The DanaBot banking Trojan traditionally ran campaigns that targeted Australia and European banks, but new research shows a new campaign that is targeting banks in the United States as well.

DanaBot is a modular Trojan written in Delphi that attempts to steal account credentials and information from online banking sites. It does this through a variety of methods such as taking screenshots of active screens, stealing form data, or logging keystrokes made on the computer. This stolen information is then collected and sent back to a central server, or command & control server, where it can then be accessed by the attackers.

When ProofPoint first discovered DanaBot, a single group was using it to target Australian banks. As time went on, other actors began using the banking Trojan to target other regions. As more campaigns are released using a different ID found in server communications, ProofPoint feels that DanaBot is being marketed as part of an affiliate system where actors can either share in the profits or rent the malware from the developer.

North American DanaBot campaign

The North American campaign discovered by ProofPoint is being spread through malspam that pretends to be digital faxes from eFax. These emails state that the recipient received a fax and then prompts the user to download them.

Malspam pretending to be from eFax
Malspam pretending to be from eFax

When the recipient clicks on the download button, they will download a malicious Word document that pretends to be the eFax. When opened, the document will instruct the users to click on the "Enable Content" button to properly view it.

Malicious Word Document
Malicious Word Document

Once a user clicks on the Enable Content button, Word macros will fire off and download and install Hancitor on the victim's machine. Hancitor will then download DanaBot and other malware, such as Pony, onto the computer.

According to security researcher TomasP the U.S. based targeted by this new DanaBot campaign include Bank of America, Wells Fargo, TD Bank, Royal Bank, and JP Morgan Chase.

Affiliate system and links to CryptXXX

ProofPoint has been tracking the various campaigns that are utilizing DanaBot and have identified 9 different actors distributing the Trojan. These actors are being identified by an "affiliate id" that is part of the C2 communication header.

For the most part, each actor distributes DanaBot to a specific region, with only Australia being the target of two different affiliate ids. Furthermore, each affiliate id is utilizing different distribution methods such as web injects, the Fallout Exploit Kit, various malspam campaigns, and as in the current campaign, installations through the Hancitor malware.

In addition to an affiliate system being used, ProofPoint has found similarities between how DanaBot and the CryptXXX Ransomware communicate with their respective command & control servers. This leads the researchers to believe that the developers created DanaBot as part of an evolution of CryptXXX.

"Thus it would seem that Danabot follows in a long line of malware from one particular group," stated the ProofPoint report. "This family began with ransomware, to which stealer functionality was added in Reveton. The evolution continued with CryptXXX ransomware and now with a banking Trojan with Stealer and remote access functionality added in Danabot."

10/3/18: Updated to include list of targeted U.S. banks

Related Articles:

Ad Clicker Hiding as Google Photos App Found in Microsoft Store

Largest Cyber Attack Against Iceland Driven by Complex Phishing Scheme

CoinMiners Use New Tricks to Impersonate Adobe Flash Installers

New Reports Show Increased CyberThreats, User Risks Remain High

Cheap Android Phones and Poor Quality Control Leads to Malware Surprise