DanaBot Banking Trojan’s Journey to North America
DanaBot, a nasty banking trojan is wreaking havoc now in the North American continent. First appeared in May 2018 targeting Australian corporations based-on the discovery of Proofpoint, a cybersecurity firm. During that time, it was precisely predicted that it will reach North America in the months to come. The speed of propagation has been accelerated, as somehow DanaBot became a part of phishing emails with the U.S. as the intended destination. “Adoption by high-volume actors, though, as we saw in the US campaign, suggests active development, geographic expansion, and ongoing threat actor interest in the malware. The malware itself contains a number of anti-analysis features, as well as updated stealer and remote control modules, further increasing its attractiveness and utility to threat actors.”
An advanced banking trojan developed using the Delphi programming language, it has three vital components, the loader, main program, and the extension modules. It appears the malware is still being fine-tuned by its authors, it contains extra codes that are still not operational, such as unused loops and conditional statements. DanaBot is Windows-specific, it cannot infect a Linux or a MacOS computer, as it uses documented Windows API in its hashing and encryption algorithms.
“When we first discovered DanaBot, we predicted that it would likely be picked up by other actors. Distribution of this malware has now extended well beyond Australia, with campaigns targeting Poland, Italy, Germany, Austria, and, more recently, the United States. DanaBot is a banking Trojan, meaning that it is necessarily geo-targeted to a degree. Adoption by high-volume actors, though, as we saw in the US campaign, suggests active development, geographic expansion, and ongoing threat actor interest in the malware. The malware itself contains a number of anti-analysis features, as well as updated stealer and remote control modules, further increasing its attractiveness and utility to threat actors,” explained by Brica.de, a Business Risk Intelligence/Cybersecurity company.
Phishing with a loaded DanaBot is very deceiving, it is delivered by an innocent-looking website link inside an innocently-looking email. Cybercriminals even went out of their way to register domains resembling the names of actual legitimate websites and is heavily dependent on its Command and Control Servers, which direct the traffic and the overall behavior of the Banking trojan.
“DanaBot uses a loader to download its main component from a C&C server. The main component contains a list of 10 hardcoded C&C IP addresses that are used for malware communications. Our first observation was that the hardcoded C&C lists changed approximately every hour when a main component was downloaded. We downloaded the main component in hourly intervals for 24 hours and analyzed the C&C lists. Each sample’s list turned out to be different. Overall we ended up with 240 IP addresses with 194 (80%) of them being unique,” explained by Proofpoint.
Until all the command and control servers are shut down for good, the prediction of it spreading further beyond North America is expected. There are reported incidents of DanaBot today in European nations and other territories previously not affected. “Distribution of this malware has now extended well beyond Australia, with campaigns targeting Poland, Italy, Germany, Austria, and, more recently, the United States. DanaBot is a banking Trojan, meaning that it is necessarily geo-targeted to a degree. Adoption by high-volume actors, though, as we saw in the US campaign, suggests active development, geographic expansion, and ongoing threat actor interest in the malware,” concluded Proofpoint.
Related Resources: