14 DAY TRIAL // The covert banking Trojan DanaBot uncovered by Proofpoint in May 2018 when it began targeting Australia and Poland via malicious URLs has now moved to Europe, with new e-mail campaigns affecting Italy, Austria, Germany, and Ukraine.
According to an analysis made by ESET Research, the DanaBot banking Trojan written in Delphi has a modular structure easily expandable by the threat actors behind it via plug-ins.
Before moving to Europe, during the Australian-based campaigns, DanaBot came with four plug-ins. The VNC plug-in which would allow the attacker to connect to the victim's machine, while the stealer plug-in designed to automatically collect all passwords entered in a wide range of applications.
Furthermore, DanaBot's "Australian"-flavored release came with a sniffer plug-in that would inject malicious code within the websites visited by the target to steal sensitive information such as credentials and payment data, and a TOR plug-in that helped it connect to .onion sites.
The new DanaBot variant features extra support for Remote Desktop Control connectivity and 64-bit apps
Since moving to Europe, DanaBot's developers have added an RDP plug-in based on the RDPWrap open source project which adds Remote Desktop Control connectivity to Windows computers that do not come with native RDP support.
Moreover, DanaBot's Stealer plug-in has been updated to also target 64-bit software, and the TOR plug-in uses the y7zmcwurl6nphcve.onion TOR address to update the Trojan's C&C server list.
The DanaBot Trojan has expanded its European "market" from Poland to Italy, Germany, Austria, and Ukraine at the beginning of September 2018, spreading as a malicious invoice with an infected attachment and using the Brushaloader PowerShell and VBS script combination.
At the moment the new variant of DanaBot targets a combination of banking domains, cryptocurrency wallets, software, and webmails, and it has 17 different servers serving its malicious payload around the world.
