DanaBot Malware – Another Banking Trojan Delivered Through FTP Links

During the past few years, we have witnessed a concerning increase in the frequency of phishing and malware attacks. This year too, we saw several banking Trojans returning with robust hacking features. After various damaging banking Trojans, such as Exobot, MysteryBot, Anubis, and Kronos, now, DanaBot malware appears to try to hack your money.

Phishing Campaign Delivering DanaBot Malware Attacks Aussies

A couple of weeks ago, DanaBot appeared in a robust phishing scam specifically targeting Australians. The spam emails appeared to be forwarded from MYOB – a software company in Australia providing business software to various SMBs.

These emails appeared as invoices from MYOB. Upon clicking the emails, users reach a compromised FTP server bearing the DanaBot malware. The technique arose as a robust phishing scam targeting various businesses, particularly in Australia. Researchers from Trustwave identified DanaBot’s association with this phishing campaign. Explaining about the phishing attack, the researchers state in their blog,

“We recently observed phishing emails targeting Australian customers with fake MYOB invoices. Instead of the usual HTTP links, these emails were ridden with FTP links pointing to compromised FTP servers. While most of the links to FTP sites are Australian domains, not all are. The FTP links were pointing to a zipped archive. This zipped archive contained a JavaScript that on execution downloads the DanaBot malware.”

DanaBot Malware was first discovered by Proofpoint in May 2018 after noticing the massive phishing campaign targeting Australians. Later on, Trustwave researchers also posted a detailed analysis of the malware after observing the scam. It appears the phishing campaign is growing in the region over a period of time alongside improvisations in the DanaBot Trojan.

Quick Overview Of DanaBot Banking Trojan

For the recent campaign, DanaBot Trojan, written in Delphi, comprised of three main components: The DanaBot Dropper (TempVBH56.exe), the DanaBot Downloader (091A4F71.dll), and the DanaBot Master DLL (6AD4B832.dll). Regarding how these work after the user gets to the compromised FTP server, Trustwave states,

“The compromised FTP links point to a zipped archive (in this case 0987365299308858885968.zip), which gets downloaded onto the victim’s computer upon clicking the invoice link. This zipped archive contains a JavaScript (JS) downloader. This JS requires the user to double-click to execute it. This launches a PowerShell command that would download the (DanaBot) malware binary “TempVBH56.exe”, from the URL “hxxp://buy.biomixers[.]org/ZslSywnaWJ.php” and execute it silently on the system.”

After that, the dropper file “TempVBH56.exe” executes the downloader, which then executes the DanaBot Master in a cascade. The DanaBot Master then further downloads an encrypted file that contains various modules and configurations files and decrypts it.

“The filenames of the DLLs extracted from the encrypted file reveal the true intention of the attackers. In essence, these DLLs enable the attacker to create and control a remote host via VNC, steal private and sensitive information and use covert channels via Tor.”

Besides giving the access of the infected device to the hacker, DanaBot can also send screenshots of the machine to the C&C.

At the moment, the malware seems restricted to Australia. However, nobody knows when this malware begins targeting users in others parts of the world. Users, particularly the SMBs, need to remain wary of these phishing scams by avoiding clicking on any emails unless they are sure of the senders.

Let us know what you think in the comments section.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients