Security researchers at Proofpoint recently uncovered new DanaBot campaigns. The malware has been adopted by threat actors targeting Europe and North America. Previous targets included Australian organizations. Currently, DanaBot is set against financial organizations in the United States.
DanaBot campaigns have also been detected by ESET researchers against countries such as Poland, Italy, Germany, and Austria. At the end of September, a threat actor that typically targets the United States with daily campaigns distributing the Panda banking Trojan switched to delivering DanaBot for a day, Proofpoint revealed.
On September 26, Proofpoint researchers observed a campaign with hundreds of thousands of email messages targeting US recipients. The emails used an eFax lure and contained a URL linking to the download of a document containing malicious macros. The macros, if enabled by the user, executed the embedded Hancitor malware, which, in turn, received tasks to download two versions of Pony stealer and the DanaBot banking malware.
More about DanaBot
The DanaBot Trojan was first detected in May 2018. As it appears, samples continue to be spread to users worldwide. Attackers continue to use various strategies in order to spread it.
One of the primary distribution techniques has been the use of SPAM email messages. Social engineering techniques are used that design the emails with elements taken from famous companies. This can confuse the users into thinking that they have received a legitimate notification or a password reset link. Upon interacting with the elements the users may download and execute the DanaBot Trojan file directly or be prompted into following “instructions” that will ultimately lead to its installation.
DanaBot has been found to contain a modular engine that can be customized according to the proposed targets. It follows a multi-stage infection pattern that begins with the initial infection. A series of scripts are called which downloads the main engine.
One of the first actions performed is the start of an information gathering component which is used to harvest personal data from the infected systems.
Researchers determined that DanaBot is composed of three components:
- Loader: downloads and loads main component
- Main component: downloads, configures, and loads modules
- Modules: various malware functionality
The malware also includes a significant amount of junk code including extra instructions, conditional statements, and loops, Proofpoint said. When combined with the use of Delphi, these features dramatically impair reverse engineering. On top of that, DanaBot is also designed to Windows API function hashing and encrypted strings to thwart analysts and automated tools from easily discovering the code’s true purpose.