DanaBot shifts its concentrating on to Europe, provides new options

ESET researchers have found new DanaBot campaigns concentrating on a variety of European nations

Lately, we’ve got noticed a surge in exercise of DanaBot, a stealthy banking Trojan found earlier this yr. The malware, first noticed in campaigns concentrating on Australia and later Poland, has apparently expanded additional, with campaigns popping up in Italy, Germany, Austria, and as of September 2018, Ukraine.

What’s DanaBot?

DanaBot is a modular banking Trojan, first analyzed by Proofpoint in Might 2018 after being found in malicious electronic mail campaigns concentrating on customers in Australia. The Trojan is written in Delphi, has a multi-stage and multi-component structure, with most of its performance carried out by plug-ins. On the time of the invention, the malware was stated to have been underneath lively improvement.

New campaigns

Simply two weeks after the widely-reported preliminary campaigns in Australia, DanaBot was detected in a marketing campaign geared toward Poland. In keeping with our analysis, the marketing campaign concentrating on Poland continues to be ongoing and is the biggest and most lively marketing campaign up to now. To compromise their victims, the attackers behind the Poland-targeted marketing campaign use emails posing as invoices from varied firms, as seen in Determine 1. The marketing campaign makes use of a mixture of PowerShell and VBS scripts broadly often called Brushaloader.

Determine 1 – Instance of a spam electronic mail utilized in a Poland-targeted DanaBot marketing campaign in September 2018

At first of September, ESET researchers found a number of smaller campaigns concentrating on banks in Italy, Germany and Austria, utilizing the identical distribution technique as noticed within the Polish marketing campaign. Additional to this improvement, on September 8, 2018, ESET found a brand new DanaBot marketing campaign concentrating on Ukrainian customers. The software program and web sites focused in these new campaigns are listed on the finish of this text.

Determine 2 exhibits a spike within the DanaBot detection price on the flip of August and once more in September 2018, as seen in our telemetry knowledge.

Determine 2 – Overview of ESET product detections of DanaBot within the final two months

Plug-in enhancements

Given its modular structure, DanaBot depends on plug-ins for many of its performance.

The next plug-ins have beforehand been talked about as a a part of the Australia-targeted campaigns of Might 2018:

  • VNC plug-in – establishes a connection to a sufferer’s laptop and remotely controls it
  • Sniffer plug-in – injects malicious scripts right into a sufferer’s browser, often whereas visiting web banking websites
  • Stealer plug-in – harvests passwords from all kinds of purposes (browsers, FTP shoppers, VPN shoppers, chat and electronic mail applications, poker applications and many others.)
  • TOR plug-in – installs a TOR proxy and permits entry to .onion web pages

In keeping with our analysis, the attackers have launched a number of adjustments to the DanaBot plug-ins for the reason that beforehand reported campaigns.

In August 2018, the attackers began utilizing the TOR plug-in for updating the C&C server checklist from y7zmcwurl6nphcve.onion. Whereas this plug-in might doubtlessly be used to create a covert communication channel between the attacker and a sufferer, we’ve got no proof of such a use up to now.

Along with that, the attackers have prolonged the Stealer plug-in vary with a 64-bit model compiled on August 25, 2018, increasing the checklist of software program doubtlessly focused by DanaBot.

Lastly, at first of September 2018, an RDP plug-in was added to DanaBot. It’s primarily based on the open-source challenge RDPWrap that gives Distant Desktop Protocol connections to Home windows machines that usually don’t help it.

There might be a number of the reason why the DanaBot builders added one other plug-in that allows distant entry apart from the VNC plug-in: First, the RDP protocol is much less more likely to be blocked by firewalls. Second, RDPWrap permits a number of customers to make use of the identical machine concurrently, enabling attackers to carry out reconnaissance operations whereas the unsuspecting sufferer continues to be utilizing the machine.

Conclusion

Our findings present that DanaBot continues to be in lively use and improvement, most just lately testing out “new floor” in European nations. The brand new options launched in these newest campaigns point out the attackers behind DanaBot proceed to utilize the malware’s modular structure to extend their attain and success price.

ESET methods detect and block all DanaBot elements and plug-ins underneath detection names listed within the IoCs part. The software program and domains focused in these current campaigns is listed within the following sections of this weblog put up.

This analysis was carried out by Tomáš Procházka and Michal Kolář.

Focused software program

Software program focused in all European campaigns

*electrum*.exe*
*electron*.exe*
*expanse*.exe*
*bitconnect*.exe*
*coin-qt-*.exe*
*ethereum*.exe*
*-qt.exe*
*zcash*.exe*
*klient*.exe*
*comarchcryptoserver*.exe*
*cardserver*.exe*
*java*.exe*
*jp2launcher*.exe*

Software program focused in Ukrainian marketing campaign

On September 8, 2018, DanaBot began concentrating on the next company banking software program and distant entry instruments:

*java*.exe*
*jp2launcher*.exe*
*srclbclient*.exe*
*mtbclient*.exe*
*begin.corp2*.exe*
*javaw.*exe*
*node*.exe*
*runner*.exe*
*ifobsclient*.exe*
*financial institution*.exe*
*cb193w*.exe*
*clibankonlineen*.exe*
*clibankonlineru*.exe*
*clibankonlineua*.exe*
*eximclient*.exe*
*srclbclient*.exe*
*vegaclient*.exe*
*mebiusbankxp*.exe*
*pionner*.exe*
*pcbank*.exe*
*qiwicashier*.exe*
*tiny*.exe*
*upp_4*.exe*
*stp*.exe*
*viewpoint*.exe*
*acdterminal*.exe*
*chiefterminal*.exe*
*cc*.exe*
inal*.exe*
*uniterm*.exe*
*cryptoserver*.exe*
*fbmain*.exe*
*vncviewer*.exe*
*radmin*.exe*

Focused domains

Notice that wildcard characters are used within the configuration, so this checklist solely comprises portals which might be reliably recognized.

Focused Italian domains

  • credem.it
  • bancaeuro.it
  • csebo.it
  • inbank.it
  • bancopostaimpresaonline.poste.it
  • bancobpm.it
  • bancopopolare.it
  • ubibanca.com
  • icbpi.it
  • bnl.it
  • banking4you.it
  • bancagenerali.it
  • ibbweb.tecmarket.it
  • gruppocarige.it
  • finecobank.com
  • gruppocarige.it
  • popso.it
  • bpergroup.internet
  • credit-agricole.it
  • cariparma.it
  • chebanca.it
  • creval.it
  • bancaprossima.com
  • intesasanpaoloprivatebanking.com
  • intesasanpaolo.com
  • hellobank.it

Focused German domains

  • bv-activebanking.de
  • commerzbank.de
  • sparda.de
  • comdirect.de
  • deutsche-bank.de
  • berliner-bank.de
  • norisbank.de
  • targobank.de

Focused Austrian domains

  • sparkasse.at
  • raiffeisen*.at
  • bawagpsk.com

Focused Ukrainian domains

Domains added on September 14, 2018:

  • financial institution.eximb.com
  • oschadbank.ua
  • client-bank.privatbank.ua

Domains added on September 17, 2018:

  • on-line.pumb.ua
  • creditdnepr.dp.ua

Focused webmails

  • mail.vianova.it
  • mail.tecnocasa.it
  • MDaemon Webmail
  • electronic mail.it
  • outlook.stay.com
  • mail.one.com
  • tim.it
  • mail.google
  • tiscali.it
  • roundcube
  • horde
  • webmail*.eu
  • webmail*.it

Focused cryptocurrency wallets

*pockets.dat*
*default_wallet*

Instance configuration from campaigns concentrating on Poland, Italy, Germany and Austria

Indicators of Compromise (IoCs)

Servers utilized by DanaBot

Notice that “Energetic” stands for serving malicious content material as of September 20, 2018.

Server Standing
45.77.51.69 Energetic
45.77.54.180 Energetic
45.77.231.138 Energetic
45.77.96.198 Energetic
178.209.51.227 Energetic
37.235.53.232 Energetic
149.154.157.220 Energetic
95.179.151.252 Energetic
95.216.148.25 Inactive
95.216.171.131 Inactive
159.69.113.47 Inactive
159.69.83.214 Inactive
159.69.115.225 Inactive
176.119.1.102 Inactive
176.119.1.103 Energetic
176.119.1.104 Energetic
176.119.1.109 Inactive
176.119.1.110 Energetic
176.119.1.111 Energetic
176.119.1.112 Energetic
176.119.1.114 Inactive
176.119.1.116 Energetic
176.119.1.117 Inactive
104.238.174.105 Energetic
144.202.61.204 Energetic
149.154.152.64 Energetic

Instance hashes

Notice that new builds of the primary elements are launched each ~15 minutes, so hashes might not be the newest obtainable.

Element SHA1 Detection
An infection vector in Europe 782ADCF9EF6E479DEB31FCBD37918C5F74CE3CAE VBS/TrojanDownloader.Agent.PYC
An infection vector in Ukraine 79F1408BC9F1F2AB43FA633C9EA8EA00BA8D15E8 JS/TrojanDropper.Agent.NPQ
Dropper 70F9F030BA20E219CF0C92CAEC9CB56596F21D50 Win32/TrojanDropper.Danabot.I
Downloader AB0182423DB78212194EE773D812A5F8523D9FFD Win32/TrojanDownloader.Danabot.I
Primary module (x86) EA3651668F5D14A2F5CECC0071CEB85AD775872C Win32/Spy.Danabot.F
Primary module (x64) 47DC9803B9F6D58CF06BDB49139C7CEE037655FE Win64/Spy.Danabot.C

Plug-ins

RDP C31B02882F5B8A9526496B06B66A5789EBD476BE Win32/Spy.Danabot.H
Stealer (x86) 3F893854EC2907AA45A48FEDD32EE92671C80E8D Win32/Spy.Danabot.C
Stealer (x64) B93455B1D7A8C57F68A83F893A4B12796B1E636C Win64/Spy.Danabot.E
Sniffer DBFD8553C66275694FC4B32F9DF16ADEA74145E6 Win32/Spy.Danabot.B
VNC EBB1507138E28A451945CEE1D18AEDF96B5E1BB2 Win32/Spy.Danabot.D
TOR 73A5B0BEE8C9FB4703A206608ED277A06AA1E384 Win32/Spy.Danabot.G

ESET Analysis

Comments are closed.