Security experts at ESET have found a huge surge of activity in the DanaBot banking Trojan since it has been targeting Poland, Italy, Germany, Austria. DanaBot was spotted earlier this year as a multi-stage banking trojan written in Delphi.
The malware allows its operators to add new features by simply adding new plugins, some of these plugins have been used in the previous attacks on Australian banks in May 2018.
What are the plugins?
- VNC plug-in – establishes a link to a victim’s computer and remotely commands it
- Sniffer plug-in – injects malicious scripts into a victim’s browser, regularly while visiting internet banking sites
- Stealer plug-in – harvests passwords from a wide variety of apps (browsers, FTP clients, VPN clients, chat and email programs, poker programs etc.)
- TOR plug-in – installs a TOR proxy and enables access to .onion websites
The Threat has been under active development by the group according to the report from security researchers at Proofpoint. While the banking trojan has initially targeted Australia they have expanded their operations to other nations including the Italy, Germany, Austria as of September 2018.
Which nation was mainly targeted by the DanaBot?
The attack that targeted Poland is still ongoing and is still sending out many spam messages that aim to compromise victims leveraging the Brishloader technique which uses a combination of PowerShell and VBS Scripts.
“Further to this development, on September 8, 2018, ESET discovered a new DanaBot campaign targeting Ukrainian users.” reads the analysis published by ESET.
Attackers have introduced several changes to the DanaBot plug-in since the previously reported campaigns such as the stealer plugin-in was compiled for the 64-Bit version since August 25th 2018. Authors have also implemented the RDP protocol using the open-source project called RDPWrap. The RDP plugi was implemented by the threat actors as it is less likely to be blocked by the firewall.
“The new features introduced in these latest campaigns indicate the attackers behind DanaBot continue to make use of the malware’s modular architecture to increase their reach and success rate.” concludes ESET.
Take your time to comment on this article.