ESET researchers have found new DanaBot campaigns concentrating on a variety of European nations
Lately, we’ve got noticed a surge in exercise of DanaBot, a stealthy banking Trojan found earlier this yr. The malware, first noticed in campaigns concentrating on Australia and later Poland, has apparently expanded additional, with campaigns popping up in Italy, Germany, Austria, and as of September 2018, Ukraine.
DanaBot is a modular banking Trojan, first analyzed by Proofpoint in Might 2018 after being found in malicious electronic mail campaigns concentrating on customers in Australia. The Trojan is written in Delphi, has a multi-stage and multi-component structure, with most of its performance carried out by plug-ins. On the time of the invention, the malware was stated to have been underneath lively improvement.
Simply two weeks after the widely-reported preliminary campaigns in Australia, DanaBot was detected in a marketing campaign geared toward Poland. In keeping with our analysis, the marketing campaign concentrating on Poland continues to be ongoing and is the biggest and most lively marketing campaign up to now. To compromise their victims, the attackers behind the Poland-targeted marketing campaign use emails posing as invoices from varied firms, as seen in Determine 1. The marketing campaign makes use of a mixture of PowerShell and VBS scripts broadly often called Brushaloader.
At first of September, ESET researchers found a number of smaller campaigns concentrating on banks in Italy, Germany and Austria, utilizing the identical distribution technique as noticed within the Polish marketing campaign. Additional to this improvement, on September 8, 2018, ESET found a brand new DanaBot marketing campaign concentrating on Ukrainian customers. The software program and web sites focused in these new campaigns are listed on the finish of this text.
Determine 2 exhibits a spike within the DanaBot detection price on the flip of August and once more in September 2018, as seen in our telemetry knowledge.
Given its modular structure, DanaBot depends on plug-ins for many of its performance.
The next plug-ins have beforehand been talked about as a a part of the Australia-targeted campaigns of Might 2018:
- VNC plug-in – establishes a connection to a sufferer’s laptop and remotely controls it
- Sniffer plug-in – injects malicious scripts right into a sufferer’s browser, often whereas visiting web banking websites
- Stealer plug-in – harvests passwords from all kinds of purposes (browsers, FTP shoppers, VPN shoppers, chat and electronic mail applications, poker applications and many others.)
- TOR plug-in – installs a TOR proxy and permits entry to .onion web pages
In keeping with our analysis, the attackers have launched a number of adjustments to the DanaBot plug-ins for the reason that beforehand reported campaigns.
In August 2018, the attackers began utilizing the TOR plug-in for updating the C&C server checklist from y7zmcwurl6nphcve.onion. Whereas this plug-in might doubtlessly be used to create a covert communication channel between the attacker and a sufferer, we’ve got no proof of such a use up to now.
Along with that, the attackers have prolonged the Stealer plug-in vary with a 64-bit model compiled on August 25, 2018, increasing the checklist of software program doubtlessly focused by DanaBot.
Lastly, at first of September 2018, an RDP plug-in was added to DanaBot. It’s primarily based on the open-source challenge RDPWrap that gives Distant Desktop Protocol connections to Home windows machines that usually don’t help it.
There might be a number of the reason why the DanaBot builders added one other plug-in that allows distant entry apart from the VNC plug-in: First, the RDP protocol is much less more likely to be blocked by firewalls. Second, RDPWrap permits a number of customers to make use of the identical machine concurrently, enabling attackers to carry out reconnaissance operations whereas the unsuspecting sufferer continues to be utilizing the machine.
Our findings present that DanaBot continues to be in lively use and improvement, most just lately testing out “new floor” in European nations. The brand new options launched in these newest campaigns point out the attackers behind DanaBot proceed to utilize the malware’s modular structure to extend their attain and success price.
ESET methods detect and block all DanaBot elements and plug-ins underneath detection names listed within the IoCs part. The software program and domains focused in these current campaigns is listed within the following sections of this weblog put up.
This analysis was carried out by Tomáš Procházka and Michal Kolář.
Focused software program
Software program focused in all European campaigns
Software program focused in Ukrainian marketing campaign
On September 8, 2018, DanaBot began concentrating on the next company banking software program and distant entry instruments:
Notice that wildcard characters are used within the configuration, so this checklist solely comprises portals which might be reliably recognized.
Focused Italian domains
Focused German domains
Focused Austrian domains
Focused Ukrainian domains
Domains added on September 14, 2018:
- financial institution.eximb.com
Domains added on September 17, 2018:
- MDaemon Webmail
- electronic mail.it
Focused cryptocurrency wallets
Instance configuration from campaigns concentrating on Poland, Italy, Germany and Austria
Indicators of Compromise (IoCs)
Servers utilized by DanaBot
Notice that “Energetic” stands for serving malicious content material as of September 20, 2018.
Notice that new builds of the primary elements are launched each ~15 minutes, so hashes might not be the newest obtainable.
|An infection vector in Europe||782ADCF9EF6E479DEB31FCBD37918C5F74CE3CAE||VBS/TrojanDownloader.Agent.PYC|
|An infection vector in Ukraine||79F1408BC9F1F2AB43FA633C9EA8EA00BA8D15E8||JS/TrojanDropper.Agent.NPQ|
|Primary module (x86)||EA3651668F5D14A2F5CECC0071CEB85AD775872C||Win32/Spy.Danabot.F|
|Primary module (x64)||47DC9803B9F6D58CF06BDB49139C7CEE037655FE||Win64/Spy.Danabot.C|