Danabot: A deep insight into the banking trojan’s capabilities and attacks

• Danabot is a banking trojan which was uncovered by researchers from Proofpoint on May 06, 2018.
• Danabot is capable of stealing credentials and system information such as the list of files on the user’s hard disk and more.

Danabot is a banking trojan which was uncovered by researchers from Proofpoint on May 06, 2018. This banking trojan was first spotted when it was targeting users in Australia via phishing emails. Apart from Australia, Danabot was also spotted targeting countries such as the United States, Poland, Germany, and Italy.

Capabilities of Danabot

• Danabot is capable of stealing credentials and system information such as the list of files on the user’s hard disk etc.
• This banking trojan is also capable of capturing screenshots of the infected system.
• The malware then sends all the stolen data to the attacker-controlled Command & Control server.

Danabot targeting Australian users

Danabot targeted Australian users via a malspam campaign that included malicious URLs. The malspam campaign had subject lines similar to ‘Your E-Toll account statement’ and the malicious URL redirected users to an MS Word documents hosted phishing page. The MS Word docs contain malicious macro, which if enabled installed Danabot on to the infected system.

Danabot exploits FTP sites to target victims

In July 2018, 2018 researchers spotted a malspam campaign that distributed the Danabot banking trojan. In this campaign, fake MYOB invoices and FTP links were used to trick victims into downloading the stealthy banking malware.

Danabot shifts its focus from Australia to Poland

In September 2018, the attackers behind Danabot shifted their focus from Australia to Poland. They also upgraded the malware’s capability and included a Anti-VM feature to avoid detection from antivirus solutions.

Danabot’s new features

Attackers behind the Danabot banking trojan added new features to the malware such as,

• A VNC plugin that remotely controls victims’ systems.
• A sniffer plugin that injects malicious scripts into victims’ browser when visiting banking sites.
• A stealer plugin that steals credentials from browsers, FTP clients, VPN clients, chat and email programs.
• A Tor plugin that installs a Tor proxy and enables access to .onion websites.

Danabot targets banks in the US

In October 2018, attackers launched a malspam campaign disguised as ‘digital faxes from eFax’ against banks in the United States. The emails included a malicious MS word documents which when opened downloaded two versions of Pony stealer and the DanaBot banking trojan.

HookAds malvertising campaigns

In November 2018, researchers observed two HookAds malvertising that redirected users to the Fallout Exploit Kit. The first campaign that was observed on November 09, 2019 distributed the Danabot banking trojan.

The campaign involves an attacker purchasing an ad space on adult websites, online gaming sites and blackhat SEO sites that are injected with ads and contain malicious JavaScript.

• Upon clicking on the ads, the Fallout exploit kit is silently loaded onto the visitors’ computer.
• Once installed, the exploit kit attempts to exploit the Windows CVE-2018-8174 VBScript vulnerability and install the Danabot trojan.

Danabot targets banks in Italy

In December 2018, Danabot targeted banks in Italy via fattura-themed phishing emails. The phishing emails included macro-enabled malicious documents that download the Danabot trojan onto victims’ computer. Apart from stealing banking credentials, this trojan also searches for sensitive information and saved credentials stored in the data folder of the installed web browsers such as Google Chrome and Mozilla Firefox. It can also perform Man-in-the-Browser attacks.

• This campaign targeted customers of Italian banking institutions such as Bancoposte, Intesa San Paolo, Banca Generali, BNL, Hello Bank, and UBI Banca.
• Besides, it also targeted email providers such as Tim, Yahoo, Hotmail, and Gmail.

Danabot updated with a new communication protocol

Attackers behind Danabot has introduced a new communication protocol to the malware at the end of January 2019, that added several layers of encryption to its C&C communication. DanaBot uses the AES and RSA encryption algorithms in its C&C communication

Besides the changed communication protocol, DanaBot has also got a new loader component which is used to download all plugins along with the main module.