Banking Trojans have been holding steady in criminal activity worldwide, which is to be expected when a quick payday is pretty much guaranteed. The newest of this malware family is DanaBot, which attacks Windows computers. The malware is being analyzed and reported on by various InfoSec researchers and cybersecurity news publications. The reports and analysis include the research of Dr. Fahim Abbasi and Diana Lopera from Trustwave.
In their post on Trustwaves’ SpiderLabs blog, the researchers had this to say about DanaBot:
DanaBot is a multi-component banking Trojan written in Delphi and… we have observed the malware is divided into 3 components:
- The DanaBot Dropper
o TempVBH56.exe (Sha256: 4afad293675bcb39ac2a85307f074cc06410a48f2e14585718193648806521c4)
- The DanaBot Downloader
o 091A4F71.dll (Sha256: f10a7b4d2beb20e9d7f3230e7662ead28b468e4554a7107c21e3b85e1c7a0f6a)
- The DanaBot Master DLL
o 6AD4B832.dll (Sha256: 06a1a596f3dbc90da832cd2161848bc8f5c8106bc0f44d4f88d8f3ac3a68e51b)
The DanaBot dropper file TempVBH56.exe that was downloaded and executed by the PowerShell command discussed in the previous section deflates and drops a DLL file 091A4F71.dll onto the disk and executes it and then deletes itself. We term this file (091A4F71.dll) as the DanaBot downloader.
DanaBot is being used to specifically target Australian civilians’ banking data in a phishing campaign. The phishing involves emails that are crafted to look like MYOB invoices (MYOB is an Australian tax software company for small to medium-sized businesses). Researchers note that, rather than the predictable HTTP links usually found within similar phishing emails, the DanaBot campaign uses FTP links that redirect victims to compromised FTP servers. After the redirection, the target is prompted to execute a .zip file that will launch the banking Trojan.
It is likely that the targets of this campaign were found via information they uncovered in public areas. In an interview with Kaspersky Lab’s Threatpost Karl Sigler, threat intelligence manager for SpiderLabs at Trustwave, said, “Given how much information people share publicly, especially on social networks, these lists are not hard to come by.” The lists he refers to are generated from publicly shared information that gave the attackers a likely set of individuals that probably use MYOB’s services.
To protect yourself, be careful what you share online and always be suspicious of emails from companies that involve sensitive data like banking accounts. This current campaign is targeting Australia, but it is always possible that the unknown individual or individuals behind this can expand it.
Featured image: Flickr / Ervins Strauhmanis