Over the past few months, banking Trojans have disseminated their global impact by almost 50 %. The appropriate security measures adopted by banks to strengthen their processes have proven futile with the never-before seen tactics evolved by the developers to facilitate the theft of online funds.
Banking Trojans continue to be a popular tool among cyber maniacs for stealing user’s banking details and draining bank accounts.
The discovery of Danabot, another Banking Trojan in a row is an evidence to establish the fact. With the widely- reported initial campaigns in Australia, this banking Trojan later expanded its reach to European countries particularly Austria, Poland, Italy, Germany, Ukraine, its latest target being United States.
DanaBot is a modular Banking Trojan, first discovered in malicious email campaigns targeting Australian population in May 2018. This malware is programmed in Delphi, an Integrated Development Environment (IDE) for rapid application development of Desktops, web, Mobile etc.
The multi-stage and multi-component architecture of DanaBot gives it an edge over other Banking Trojans.
As other banking Trojans, DanaBot attempts to steal account credentials and other banking information of users from online banking sites. This functionality is implemented by a variety of methods like:
The collected information is shared with threat actors via C&C server (Command and Control server).
The multistage infection chain and modular architecture of DanaBot comprises of several components that include:
All these plug-ins are used to create a covert communication channel between the attacker and a victim, and hence embezzle user of their hard earned money.
The threat behavior of this malware originated in Australia. Following the success of the attack, the source code of the threat was soon leveraged to target other regions with different IDs. Each affiliate IDs utilize different distribution tactics such as:
For instance, a Web inject can be used to add a field in the login screen for capturing his or her bank account details, or it can be used to delete warnings that a user might normally see when viewing a particular Web page. Web injects typically have been used to steal financial credentials for accessing bank accounts.
The use different IDs in different campaigns launched by threat actors reveals that DanaBot may be marketed as part of an affiliate system where cyber maniacs either rent malware from the developer or share in the profits with them.
A recent campaign launched in North America made use of spam digital fax posing as an important document from eFax, a trusted online Fax Service to distribute DanaBot. When the recipient downloaded the document, it instructed them to click on the “Enable content” button to enable proper view of the document.
The click on the “Enable Content” Button enabled the macros feature of word document that led to the installation of Hancitor on the victim’s machine.
Hancitor is a macro based malware spread through Microsoft Office documents in malspam campaigns. Hancitor is designed to infect the Windows Operating system with additional malware, most often a Banking Trojan like DanaBot.
The infiltration of DanaBot Banking Trojan puts user’s system at risk of data embezzlement.
Users should follow these practices to defend their system against DanaBot:
Hits: 114
Subscribe to our newsletter today to receive updates on the Latest News and Threats.
Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.