DanaBot banking malware now sports new features and is targeting Europe

• DanaBot is a modular banking malware and has recently shifted its target base from Australia to European nations.
• New DanaBot campaigns have recently cropped up in Italy, Germany, Austria, and Ukraine.

A new DanaBot banking malware campaign has been discovered targeting European nations. The modular malware has also been upgraded with new features, indicating that the malware’s operators are expanding operations. New DanaBot campaigns have recently cropped up in Italy, Germany, Austria, and Ukraine.

According to security researchers at ESET, who discovered the new banking malware campaign, DanaBot is written in Delphi and is a multi-component trojan. DanaBot’s campaign against Polish victims is still ongoing and is currently the largest DanaBot campaign.

“At the beginning of September, ESET researchers discovered several smaller campaigns targeting banks in Italy, Germany and Austria, using the same distribution method as observed in the Polish campaign. Further to this development, on September 8, 2018, ESET discovered a new DanaBot campaign targeting Ukrainian users,” ESET researchers wrote in a blog.

DanaBot new features

ESET researchers discovered that since May 2018, DanaBot’s operators have added several additional features such as a VNC plugin that remotely controls victims’ computer by connecting to it, and a sniffer plugin that injects malicious scripts into victims’ browser when visiting banking sites.

The malware was also added with a stealer plugin that gathers credentials from browsers, FTP clients, VPN clients, chat and email programs and more. Lastly, DanaBot now also has the Tor plugin that installs a Tor proxy and enables access to .onion websites.

“ In the beginning of September 2018, an RDP plug-in was added to DanaBot. It is based on the open-source project RDPWrap that provides Remote Desktop Protocol connections to Windows machines that normally do not support it,” ESET researchers said. “There could be several reasons why the DanaBot developers added another plug-in that enables remote access besides the VNC plug-in: First, the RDP protocol is less likely to be blocked by firewalls. Second, RDPWrap allows several users to use the same machine concurrently, enabling attackers to perform reconnaissance operations while the unsuspecting victim is still using the machine.”

ESET researchers said that DanaBot is still testing new ground across Europe. The new features added to DanaBot are designed to boost the banking malware’s infection rate and its reach. It is likely that the cybercriminals will continue experimenting and diversifying to target more victims and steal more funds.