Windows 10 News and info | Forum
May 24, 2019, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: Danabot Banking Malware Now Targeting Banks in the U.S.  (Read 50 times)
Hero Member
Offline Offline

Gender: Male
United States United States

Posts: 30037

I Do Windows

WWW Email
« on: October 03, 2018, 02:43:55 PM »

The DanaBot banking Trojan traditionally ran campaigns that targeted Australia and European banks, but new research shows a new campaign that is targeting banks in the United States as well.

DanaBot is a modular Trojan written in Delphi that attempts to steal account credentials and information from online banking sites. It does this through a variety of methods such as taking screenshots of active screens, stealing form data, or logging keystrokes made on the computer. This stolen information is then collected and sent back to a central server, or command & control server, where it can then be accessed by the attackers.

When ProofPoint first discovered DanaBot, a single group was using it to target Australian banks. As time went on, other actors began using the banking Trojan to target other regions. As more campaigns are released using a different ID found in server communications, ProofPoint feels that DanaBot is being marketed as part of an affiliate system where actors can either share in the profits or rent the malware from the developer.

North American DanaBot campaign

The North American campaign discovered by ProofPoint is being spread through malspam that pretends to be digital faxes from eFax. These emails state that the recipient received a fax and then prompts the user to download them.

Malspam pretending to be from eFax

When the recipient clicks on the download button, they will download a malicious Word document that pretends to be the eFax. When opened, the document will instruct the users to click on the "Enable Content" button to properly view it.

Malicious Word Document

Once a user clicks on the Enable Content button, Word macros will fire off and download and install Hancitor on the victim's machine. Hancitor will then download DanaBot and other malware, such as Pony, onto the computer.

Affiliate system and links to CryptXXX

ProofPoint has been tracking the various campaigns that are utilizing DanaBot and have identified 9 different actors distributing the Trojan. These actors are being identified by an "affiliate id" that is part of the C2 communication header.

For the most part, each actor distributes DanaBot to a specific region, with only Australia being the target of two different affiliate ids. Furthermore, each affiliate id is utilizing different distribution methods such as web injects, the Fallout Exploit Kit, various malspam campaigns, and as in the current campaign, installations through the Hancitor malware.

In addition to an affiliate system being used, ProofPoint has found similarities between how DanaBot and the CryptXXX Ransomware communicate with their respective command & control servers. This leads the researchers to believe that the developers created DanaBot as part of an evolution of CryptXXX.

"Thus it would seem that Danabot follows in a long line of malware from one particular group," stated the ProofPoint report. "This family began with ransomware, to which stealer functionality was added in Reveton. The evolution continued with CryptXXX ransomware and now with a banking Trojan with Stealer and remote access functionality added in Danabot."


Pages: [1]
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page November 24, 2018, 12:28:12 AM