The stealthy modular banking trojan DanaBot has set its sights on Europe and has added new features to its arsenal along the way.
The malware is written in Delphi and was first spotted in May 2018 after it was used in a malicious email campaign targeting users in Australia. In its most recent campaign, ESET researchers have spotted the malware targeting a Polish firm using emails posing as invoices from various companies using a combination of PowerShell and VBS scripts widely known as Brushaloader, according to a Sept. 21 blog post.
The trojan has since expanded further into Italy, Germany, Austria, and Ukraine and has upgraded to include a VNC plug-in, Sniffer plug-in, Stealer plug-in, and Tor plug-in. The campaign targeting Poland is still ongoing and is the largest and most active campaign to date.
The VNC plug-in establishes a connection to a victim’s computer and remotely controls it while the Stealer plug-in harvests passwords from a wide variety of applications (browsers, FTP clients, VPN clients, chat and email programs, poker programs, etc., researchers said.
The Sniffer plug-in – injects malicious scripts into a victim’s browser, usually while visiting internet banking sites and the TOR plug-in – installs a TOR proxy and enables access to .onion web sites.
“In August 2018, the attackers started using the TOR plug-in for updating the C&C server list from y7zmcwurl6nphcve.onion,” researchers said in the blog. “While this plug-in could potentially be used to create a covert communication channel between the attacker and a victim, we have no evidence of such a use to date.”
Researchers attributed the malware’s functionality to its modular architecture which researchers expect threat actors will continue to make use of to increase their reach and success rates. In August 2018researchers noticed a spike in DanaBot detections and then again in September 2018.
“Our findings show that DanaBot is still in active use and development, most recently testing out 'new ground' in European countries,” researchers said in the post. “The new features introduced in these latest campaigns indicate the attackers behind DanaBot continue to make use of the malware’s modular architecture to increase their reach and success rate.