DanaBot

DanaBot is a banking Trojan that conducts covert attacks for collecting information, especially login credentials for your online accounts and financial activities. This threat's current distribution exploits utilize fake e-mail invoices for installations, after which, DanaBot can run without any symptoms. You can protect yourself by having updated anti-malware products available for deleting DanaBot automatically, and you always should change all compromised passwords after disinfecting your PC.

The Bill with a Much Higher Cost than Anticipated

The experienced threat actor, TA547, is launching a campaign for attacking business sector customers of MYOB, using a custom banking Trojan that malware experts have yet to see in use elsewhere. Since this criminal is notable for using rental model-based Trojans and related threats, this series of attacks employing DanaBot may be one of an upcoming series of them through other operators. DanaBot's features, like those of most banking Trojans, are flexible and stealth-oriented, thanks to its modular and heavily-obfuscated design.

Its only-verifiable attacks as per malware experts' last analyses are arriving via e-mail messages with forgeries of MYOB invoices, using corrupted macros embedded in Word documents for the actual, file-downloading vulnerability. The DOC uses a format with fake security credentials for facilitating tricking the victim into running this macro, and an IP-based filter prevents the payload from triggering on PCs that aren't inside Australia. Another variant of this attack uses, instead, links to damaged JavaScript for accomplishing the same end.

DanaBot uses the AES and RSA encryptions, not for locking any files, but for protecting its components from being identified as unsafe by various threat-detecting heuristics. Malware researchers are noting the following features in its modules as being the central security risks to infected Windows PCs:

• Besides targeting the user's general Web-browsing history, DanaBot's 'stealer' module also collects the credentials for such applications as Outlook, Windows Live Mail, Trillian, Miranda, FileZilla, SmartFTP and others.
• A 'sniffer' module also monitors any network traffic associated with the domains in the DanaBot's whitelist, which lets it intercept information as the user inputs it, such as passwords for logins.
• Several, other modules are cryptocurrency-based and may monitor the use of Bitcoin and related currencies for a possible hijacking of any payments or mining purposes

Canceling a Criminal's Invoice

DanaBot includes a Command & Control infrastructure that's semi-configurable and may rotate through different domains for maintaining a consistent connection to the threat actor's admin controls. Its modularity also allows for a possible adjustment in which attacks its payload includes, although malware analysts have yet to see any starkly-diverging variations in this banking Trojan. Like other, spyware-themed threats, the symptoms of DanaBot infections are incidental and, typically, negligible for alerting the victims.

The persistence of Word macros in different threat-downloading attacks should be taken into account whenever a user interacts with Word documents from unverifiable sources. Disabling the feature by default, and analyzing all downloads with appropriate security tools, can eliminate many of the infection strategies in use by banking Trojans, file-locking Trojans and other threat campaigns. Dedicated anti-malware tools also should uninstall DanaBot from any already-compromised systems safely.

It's telling that even sophisticated spyware attacks are continuing with well-known tactics like invoices from financial institutions. MYOB customers may be the current targets of DanaBot's informational theft, but the same social engineering tricks are just as profitable against inexperienced and careless PC users throughout the world.