DanaBot trojan targets bank customers
The newly discovered DanaBot banking trojan is targeting potential victims with fake invoices from software company MYOB. The emails looks to be invoices from MYOB, an Australian company that provides tax, accounting and other business services software for SMBs. But in reality, the email contain a dropper file that downloads the DanaBot banking trojan, which once downloaded, steals private and sensitive information, and sends screenshots of the machine's system and desktop to the Command and Control server.
Cybercriminals are targeting victims in Australian companies and infecting them with asophisticated, multi-stage, multi-component, and stealthy banking trojans like DanaBot to steal their private and sensitive information. In this campaign the spammers sent targeted phishing emails in the form of fake MYOB invoice messages with invoice links pointing to compromised FTP servers hosting the DanaBot malware. The phishing email scams have been spotted targeting Australian customers of MYOB. The phishing emails used the standard MYOB-like html invoice template to convince users they are real, stating that the client has an invoicethat is due and asking them to View Invoice via a button at the bottom of the email.
What is interesting is that instead of using the more common HTTP application layer protocol for links, the emails use the file transfer protocol ( FTP ) pointing to compromised FTP servers. When the victim clicks the "View Invoice" button, a zip archive is pulled down from a compromised FTP server of an Australian company. FTP credentials are supplied in the FTP link that is embedded in the "View Invoice" button. The use of FTP is an uncommon choice and not something researchers usually see. It seems likely that the criminals hacked the FTP server of an Australian company and are using it to spread the malware. It's probably just a matter of convenience and using what was available to them at the time.
DanaBot is a banking trojan discovered in May targeting users in Australia via emails containing malicious URLs. The trojan has been one of the biggest cybercrime developments of 2018 so far. DanaBot is the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. DanaBot's modularity enables it to download additional components, increasing the flexibility, stealing and remote monitoring capabilities.
In the most recent form, the DanaBot malware drops a downloader file onto the disk and executes it. The downloader then downloads a Master DLL, which contains code and data that can be used by more than one program at the same time. Once downloaded, the DanaBot master DLL then downloads and decrypts an encrypted file which contains a variety of modules and configuration files. The DLL modules include a VNC, a stealer, a sniffer and TOR. The filenames of the DLLs extracted from the encrypted file reveal the true intention of the hackers. These DLLs enable the hacker to create and control a remote host via VNC, steal private and sensitive information and use covert channels via Tor.
Five configuration files: PInject, BitKey, BitVideo, BitFilesX and Zfilter have their own functions. These files are used by the malware as a reference for what to look for on the victims machine. PInject, which contains the web injection configuration file where the targets are Australian banks. BitKey and BitVideo are two other config files that contain the list of cryptocurrency processes that the bot will monitor. BitFilesX contains a list of the cryptocurrency files the bot will monitor. Finally, Zfilter searches for processes that that the malware should monitor for network sniffing.