Story image

DanaBot banking Trojan: How to protect your organisation

05 Dec 2018

Article by Proofpoint Asia-Pacific and Japan vice president Tim Bentley

After nearly two years of relentless, high-volume ransomware campaigns, threat actors appear to be favouring less noisy malware such as banking Trojans and information stealers.

Proofpoint research shows that 90% of businesses were targeted by email fraud campaigns in the first quarter of 2018, and banking Trojans now make up almost 60% of malicious payloads observed in email.

Proofpoint first discovered local banking Trojan DanaBot in May this year, targeting users in Australia via emails containing malicious URLs.

DanaBot is a Trojan written in the Delphi programming language, that includes banking site web injections and stealer functions such as detailed system information and screenshots of the user’s desktop.

Originating in Australia, spreading globally

DanaBot began as an email campaign claiming to be from the NSW Roads and Maritime Services. The messages used the subject "Your E-Toll account statement" and contained URLs redirecting to documents hosted on another site, containing a macro that downloaded DanaBot if enabled. 

DanaBot is the latest example of malware focused on persistence and stealing useful information that can later be monetised rather than demanding an immediate ransom from victims.

The social engineering in the low-volume DanaBot campaigns observed so far has been well-crafted, again pointing to a renewed focus on “quality over quantity” in email-based threats.

As a banking Trojan, DanaBot was geo-targeted… to a degree.

When Proofpoint first reported on this threat in May, the Trojan was spread by a single threat actor.

However, based on previous behaviour, it was predicted that there was potential for this malware campaign to spread to other regions.

Today, we’re seeing DanaBot campaigns targeting users in Poland, Italy, Germany, Austria and the United States, increasing its footprint and taking advantage of its extensive anti-analysis features.

There have also been several additional campaigns since May targeting Australian users.

Unique behaviour enables widespread attacks

While there isn’t specific visibility into DanaBot’s back-end infrastructure, there are some noteworthy behaviour that allows some speculation.

Firstly, DanaBot includes a significant amount of junk code including extra instructions, conditional statements, and loops.

When combined with the use of Delphi, these features dramatically impair reverse engineering.

In addition, DanaBot uses Windows API function hashing and encrypted strings to prevent analysts and automated tools from easily determining the code’s purpose.

Secondly, based on distribution methods and targeting, DanaBot may be set up as a “malware-as-a-service” system.

This means one threat actor creates the banking Trojan and then sells access to other threat actors on the black market, who distribute and target DanaBot as they see fit.

The adoption of this banking Trojan by high-volume actors, suggests active development, geographic expansion, and ongoing threat actor interest in the malware.

Finally, DanaBot’s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker.

Protecting your organisation

There are three steps your business should take to protect itself against DanaBot and other banking Trojan vulnerabilities:

  1. The first is to educate employees. Human touch is one of the leading security risks for any organisation. By training employees on ways to identify suspicious emails, as well as providing regular communication on the current threat landscape, you immediately strengthen your security gate at its most vulnerable point.  
  2. Protect your identity and control who contacts you. By implementing tools such as DMARC (Domain-based Message Authentication, Reporting and Conformance) authorisation, you receive visibility into all email coming into and going out of your organisation. With this visibility, you can authorise all legitimate senders trying to send email on your behalf—and block any malicious email spoofing your trusted domains or those of your suppliers.  
  3. Update your IT systems, make sure you have the latest in email monitoring and protection in place, and ensure you’ve implemented two-factor authentication where possible.
ESET researchers break down latest arsenal of the infamous Sednit group
At the end of August 2018, the Sednit group launched a spear-phishing email campaign, in which it distributed shortened URLs that delivered first-stage Zebrocy components.
Container survey shows adoption accelerating while security concerns remain top of mind
The report features insights from over 500 IT professionals.
Google 'will do better' after G Suite passwords exposed since 2005
Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption.
Fake apps on Google Play scamming users out of cryptocurrency
Fake cryptocurrency apps on Google Play have been discovered to be phishing and scamming users out of cryptocurrency, according to a new report from ESET.
Hackbusters! Reviewing 90 days of cybersecurity incident response cases
While there are occasionally very advanced new threats, these are massively outnumbered by common-or-garden email fraud, ransomware attacks and well-worn old exploits.
SEGA turns to Palo Alto Networks for cybersecurity protection
When one of the world’s largest video game pioneers wanted to strengthen its IT defences against cyber threats, it started with firewalls and real-time threat intelligence from Palo Alto Networks.
Forrester names Trend Micro Leader in email security
TrendMicro earned the highest score for technology leadership, deployment options and cloud integration.
LogRhythm releases cloud-based SIEM solution
LogRhythm Cloud provides the same feature set and user experience as its on-prem experience.