- DanaBot campaign makes use of compromised FTP servers.
- DanaBot is a multi-stage, multi-component and stealthy banking malware.
A new campaign targeting entities in Australia with the DanaBot banking Trojan has been discovered by security researchers. DanaBot is a multi-stage and multipurpose malware. The campaign makes use of phishing emails that contain fake MYOB invoices, to trick victims into downloading the stealthy banking malware.
According to security researchers at Trustwave, who discovered the new DanaBot campaign, the hackers made use of a compromised FTP server of an Australian company.
“The DanaBot malware seems to be hosted on a domain that has been configured with round robin DNS and thus resolves to multiple IPs that are used to rotate and load balance the traffic and point them to the attacker controlled infrastructure,” Trustwave researchers wrote in a blog.
DanaBot has three main components - the dropper, the downloader and the master DLL. These components allow attackers to create and control a remote host, which in turn can help them steal victims’ sensitive and private information using cover TOR channels.
The malware is also capable of sending the infected system’s information and screenshots of the desktop to the C2 server.
“In this campaign the attackers sent targeted phishing emails in the form of fake MYOB invoice messages with invoice links pointing to compromised FTP servers hosting the DanaBot malware,” Trustwave researchers said. “The infrastructure supporting the malware is designed to be flexible while the malware is designed to be modular with functionality spread across multiple components that are heavily encrypted.”