The recently-discovered DanaBot banking trojan is making the rounds in a phishing campaign that targets potential victims with fake invoices from software company MYOB.
The emails purport to be invoices from MYOB, an Australian multinational corporation that provides tax, accounting and other business services software for SMBs. But in reality, the missives contain a dropper file that downloads the DanaBot banking trojan, which once downloaded steals private and sensitive information, and sends screenshots of the machine’s system and desktop to the Command and Control server.
“Cybercriminals are targeting victims in Australian companies and infecting them with sophisticated multi-stage, multi-component and stealthy banking trojans like DanaBot to steal their private and sensitive information,” said Trustwave researchers in a post about the campaign, Friday. “In this campaign the attackers sent targeted phishing emails in the form of fake MYOB invoice messages with invoice links pointing to compromised FTP servers hosting the DanaBot malware.”
According to Trustwave researchers Fahim Abbasi and Diana Lopera, a flurry of phishing email scams have been spotted targeting Australian customers of MYOB. The phishing emails used the standard MYOB-like html invoice template to convince users they are real; telling the client that an invoice is due and asking them to “View Invoice” via a button at the bottom of the email.
Karl Sigler, threat intelligence manager SpiderLabs at Trustwave, told Threatpost that criminals likely purchased or perhaps generated their own list of likely MYOB customers. “Given how much information people share publicly, especially on social networks, these lists are not hard to come by,” he said. Trustwave didn’t have any information about how many victims specifically were targeted by the campaign.
Interestingly, instead of using the more common HTTP application layer protocol for links, the emails leveraged the file transfer protocol (FTP) pointing to compromised FTP servers (mostly using Australian domains).
“In clicking this ‘View Invoice’ button a zip archive is pulled down from what we believe is a compromised FTP server of an Australian company,” researchers said. “FTP credentials are supplied in the FTP link that is embedded in the ‘View Invoice’ button.”
Sigler told Threatpost that the use of FTP is an “odd choice” and not something researchers usually see. “It seems likely that the criminals compromised the FTP server of an Australian company and are using it to spread the malware,” he said. “It’s probably just a matter of convenience and using what was available to them at the time.”
From the FTP server a .Zip archive is downloaded. Contained inside the .Zip archive is a JavaScript downloader that when executed downloads the DanaBot trojan.
DanaBot, a Novel Banking Trojan
DanaBot is a banking trojan discovered in May targeting users in Australia via emails containing malicious URLs. The trojan, first discovered by Proofpoint researchers, has been one of the biggest cybercrime developments of 2018, so far.
“DanaBot is the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims,” Proofpoint researchers said at the time about the trojan. “DanaBot’s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker.”
In this most recent campaign, the DanaBot malware first drops a downloader file onto the disk and executes it. The downloader then downloads a Master DLL (a dynamic link library, which contains code and data that can be used by more than one program at the same time).
Once downloaded, the DanaBot master DLL then downloads and decrypts an encrypted file which contains a variety of modules and configuration files. The DLL modules include a VNC, a stealer, a sniffer and TOR: “The filenames of the DLLs extracted from the encrypted file reveal the true intention of the attackers,” researchers said. “In essence, these DLLs enable the attacker to create and control a remote host via VNC, steal private and sensitive information and use covert channels via Tor.”
Meanwhile, the five configuration files (PInject, BitKey, BitVideo, BitFilesX and Zfilter) will set about with their own functions. “These files are used by the malware as a reference for what to look for on the victims machine,” Sigler told Threatpost.
That includes PInject, which contains the web injection configuration file where the targets are Australian banks. BitKey and BitVideo are two other config files that contain the list of cryptocurrency processes that the bot will monitor. BitFilesX contains a list of the cryptocurrency files the bot will monitor. Finally, Zfilter searches for processes that that the malware should monitor for network sniffing.
Researchers also noted that the DanaBot malware seems to be hosted on a domain that has been configured with “round robin DNS” which uses multiple IPs to rotate the traffic and point them to the attacker controlled infrastructure.
“The infrastructure supporting the malware is designed to be flexible while the malware is designed to be modular with functionality spread across multiple components that are heavily encrypted,” the researchers warned.