Cybercriminals are recently starting to shift from deploying destructive ransomware to distributing new and advanced banking trojans, information stealers and backdoors. Recently, a new banking trojan, dubbed DanaBot, surfaced in the wild.

The malware has been continually attempting to rapidly boost its reach. The malware comes packed with a wide variety of capabilities. Security experts have observed a recent uptick in DanaBot campaigns, making it a powerful threat to reckon with.


DanaBot was first discovered by Proofpoint researchers targeting users in Australia, earlier this May. The banking trojan is written in the Delphi programming language and is capable of stealing users’ credentials and hijacking infected systems. DanaBot can also transfer data such as detailed system information, desktop screenshots, list of files on the user's hard disk etc. to the attacker-controlled C2.

When it was first discovered, Danabot was distributed using malicious Word documents embedded within malicious macros. When the user downloaded the Word document and enabled macros, a PowerShell script was executed in the background that downloaded DanaBot. However, at the time, the trojan was still under active development and is believed to have been distributed only by a single threat actor.

DanaBot’s expanding impact

Danabot was first discovered targeting Australian users in a malspam campaign. The malware authors initially focused on users from Australia by checking the users’ IP addresses. The malware’s command and control server first verified the affected system’s IP address and delivered the trojan, only if it was located in Australia.

Since then, Danabot operators have expanded their target surface and recent spam campaigns are now distributing the malware to multiple Europen countries, particularly Austria, Germany, Italy, Poland, and Ukraine.

The latest research shows that a new campaign is targeting the United States and North American banks as well. According to security researcher TomasP, the U.S. based targets in this new DanaBot campaign include the Bank of America, Wells Fargo, TD Bank, Royal Bank, and JP Morgan Chase.

Since its discovery, DanaBot’s authors have continued to market the malware to target other regions using various campaigns and ID’s found in server communications.

Delivery analysis of DanaBot

The malware is generally distributed via emails containing links to malicious Word documents. The malspam emails used in Australia had a message subject that read, “Your E-Toll account statement” and contained URL’s that redirected victims to Microsoft Word documents hosted on another site. The Word documents also contained malicious macros that, if enabled, downloaded DanaBot using a PowerShell command. The word documents contained stolen brandings used for social engineering baits and claimed to be protected by a security vendor.

Later, ESET researchers spotted the malware targeting a Polish firm, using malspam emails posing as invoices from various companies. The malware was also found to using a combination of PowerShell and VBS scripts known as Brushaloader. Since then, the trojan continued to expand its operations into Italy, Germany, Austria, and Ukraine by drastically upgrading plug-ins, using which, the malware’s authors equipped the malware with unique features.

In its most recent campaign, that targets US and North American users, the malspam emails contain the subject message: “This is eFax Notice”. The emails state that the recipient received a fax and prompts the user to download them. However, the downloaded Word documents contain macros, which when opened, instruct users to click on the “Enable Content” button to properly view it. This enables macros which download and installs Hancitor, which later downloads DanaBot.

What makes DanaBot different?

Given its multistage infection chain and modular architecture, Danabot comprises of multiple components - mostly dynamic-link libraries (DLL) - to perform most of its functions. Researchers have listed various plugins used by the trojan.

  • VNC plug-in: Helps the attacker establish a connection with a targeted computer and remotely control it.
  • Sniffer plug-in: Inserts malicious script files into a victim’s browser, usually while he/she is visiting banking websites.
  • Stealer plug-in: Obtains credentials from applications (browsers, web-facing applications, email applications etc.)
  • TOR plug-in: Installs a TOR proxy and enables access to .onion websites.
  • RDP plug-in: The Remote Desktop Protocol (RDP) helps users to remotely connect to Windows computer. However, DanaBot’s operators use this module to connect with a targeted system in a stealthier way, while the victim still continues using the computer.

Apart from these features, the malware’s stealthy nature poses a high risk for victims. In fact, DanaBot’s stealth technique has recently been used by various botnets and other information stealer malware as well. This function allows the malware to carry out data exfiltration while simultaneously hiding its other components and functionalities.

Securing against DanaBot

Although DanaBot is now considered to be a highly stealthy and advanced banking malware, there are a few security measures users can implement to stay safe from DanaBot attacks. Here is a list of steps that users can take to avoid falling victim to the banking malware:

  • Secure remote access functionalities such as remote desktop protocol.
  • Enable multi-factor authentication when accessing banking applications.
  • Be highly caution while downloading Word documents from emails sent by unknown sources.
  • Implement an additional layer of security for blocking installations of unknown executables or applications.
  • Monitor network traffic for suspicious activities, such as C&C communications and irregular network data spikes
Cyware Publisher