• DanaBot campaign makes use of compromised FTP servers.
  • DanaBot is a multi-stage, multi-component and stealthy banking malware.

A new campaign targeting entities in Australia with the DanaBot banking Trojan has been discovered by security researchers. DanaBot is a multi-stage and multipurpose malware. The campaign makes use of phishing emails that contain fake MYOB invoices, to trick victims into downloading the stealthy banking malware.

Rather than using HTTP links, these phishing emails used FTP links indicating the cybercriminals The phishing emails, instead of using HTTP links, were using FTP links, which indicates that the cybercriminals behind the campaign were likely using compromised FTP servers. The FTP links contain a zipped archive, which in turn contains a JavaScript. Once executed, the JavaScript delivers the DanaBot malware.

DanaBot infrastructure

According to security researchers at Trustwave, who discovered the new DanaBot campaign, the hackers made use of a compromised FTP server of an Australian company.

“The DanaBot malware seems to be hosted on a domain that has been configured with round robin DNS and thus resolves to multiple IPs that are used to rotate and load balance the traffic and point them to the attacker controlled infrastructure,” Trustwave researchers wrote in a blog.

DanaBot has three main components - the dropper, the downloader and the master DLL. These components allow attackers to create and control a remote host, which in turn can help them steal victims’ sensitive and private information using cover TOR channels.

The malware is also capable of sending the infected system’s information and screenshots of the desktop to the C2 server.

“In this campaign the attackers sent targeted phishing emails in the form of fake MYOB invoice messages with invoice links pointing to compromised FTP servers hosting the DanaBot malware,” Trustwave researchers said. “The infrastructure supporting the malware is designed to be flexible while the malware is designed to be modular with functionality spread across multiple components that are heavily encrypted.”

Cyware Publisher