Danabot Banking Trojan now Targets United States Banks

Over the past few months, banking Trojans have disseminated their global impact by almost 50 %.  The appropriate security measures adopted by banks to strengthen their processes have proven futile with the never-before seen tactics evolved by the developers to facilitate the theft of online funds.

Banking Trojans continue to be a popular tool among cyber maniacs for stealing user’s banking details and draining bank accounts.

The discovery of Danabot, another Banking Trojan in a row is an evidence to establish the fact. With the widely- reported initial campaigns in Australia, this banking Trojan later expanded its reach to European countries particularly Austria, Poland, Italy, Germany, Ukraine, its latest target being United States.

What is DanaBot?

DanaBot is a modular Banking Trojan, first discovered in malicious email campaigns targeting Australian population in May 2018. This malware is programmed in Delphi, an Integrated Development Environment (IDE) for rapid application development of Desktops, web, Mobile etc.

The multi-stage and multi-component architecture of DanaBot gives it an edge over other Banking Trojans.

As other banking Trojans, DanaBot attempts to steal account credentials and other banking information of users from online banking sites. This functionality is implemented by a variety of methods like:

• Logging Keystrokes made on the computer
• Stealthily taking screenshots of active screens
• Stealing data from banking forms

The collected information is shared with threat actors via C&C server (Command and Control server).

DanaBot Multi- Stage Behavior

The multistage infection chain and modular architecture of DanaBot comprises of several components that include:

• VNC (Virtual Network Computing) — connects and hijacks the infected system.
• Sniffer — injects malicious scripts into the browser when user visits online banking websites
• Stealer– Collect banking credentials and other information from a variety of applications like browsers, chats, emails, VPN clients etc.
• TOR — uses a Tor proxy server to access .onion websites (anonymous hidden services
• RDP — used to access Remote Desktop Protocol-based (RDP) machines;

All these plug-ins are used to create a covert communication channel between the attacker and a victim, and hence embezzle user of their hard earned money.

Threat Behavior of the North American Campaign

The threat behavior of this malware originated in Australia.  Following the success of the attack, the source code of the threat was soon leveraged to target other regions with different IDs. Each affiliate IDs utilize different distribution tactics such as:

• Web Injects: These are modules or packages used in financial malware that inject HTML or JavaScript codes in the contents of the web page to alter its contents without user knowledge.

For instance, a Web inject can be used to add a field in the login screen for capturing his or her bank account details, or it can be used to delete warnings that a user might normally see when viewing a particular Web page. Web injects typically have been used to steal financial credentials for accessing bank accounts.

• Malspasm Campaigns: Distribute malware via spam email attachments.
• Installation through Hancitor malware etc

The use different IDs in different campaigns launched by threat actors reveals that DanaBot may be marketed as part of an affiliate system where cyber maniacs either rent malware from the developer or share in the profits with them.

A recent campaign launched in North America made use of spam digital fax posing as an important document from eFax, a trusted online Fax Service to distribute DanaBot. When the recipient downloaded the document, it instructed them to click on the “Enable content” button to enable proper view of the document.

The click on the “Enable Content” Button enabled the macros feature of word document that led to the installation of Hancitor on the victim’s machine.

Hancitor is a macro based malware spread through Microsoft Office documents in malspam campaigns. Hancitor is designed to infect the Windows Operating system with additional malware, most often a Banking Trojan like DanaBot.

The infiltration of DanaBot Banking Trojan puts user’s system at risk of data embezzlement.

How to defend your system against DanaBot?

Users should follow these practices to defend their system against DanaBot:

• Secure the use of remote access functionalities like remote desktops.
• Keep the networks, servers, systems up-to date.
• Employ authentication and authorization mechanisms to mitigate attacks
• Check the specs of the email before opening it.

Hits: 101