Danabot Trojan Steals Sensitive Data Of Banking Enterprise Customers

Influenza A virus subtype H5N1 novel phishing e-mail campaign, DanaBot banking Trojan, has been targeting Australian customers amongst a mistaken measure MYOB-like HTML invoice template that actually contains a novel banking Trojan.

MYOB is an Australian multinational enterprise that provides tax, accounting in addition to other concern services software for SMBs.

With this novel campaign, attackers used FTP links instead of the park HTTP links in addition to most of the FTP sites linked amongst the Australian domains points to a cypher file that contains a JavaScript that downloads the concluding payload DanaBot malware.

The phishing e-mail drive contains a mistaken MYOB invoice that asks customers to brand payment in addition to i time the client clicks on View Invoice it downloads the cypher file from the compromised server. Once downloaded, it launches a PowerShell command that downloads the concluding payload DanaBot multi-component banking Trojan.

The Trojan steals someone in addition to sensitive information and sends screenshots of the machine’s organisation in addition to desktop to the Command in addition to Control server.

Trustwave researchers Fahim Abbasi in addition to Diana Lopera spotted the phishing scam.

“Cybercriminals are targeting victims inwards Australian companies in addition to infecting them amongst sophisticated multi-stage, multi-component in addition to stealthy banking trojans similar DanaBot to pocket their someone in addition to sensitive information,” said Trustwave researchers inwards a post well-nigh the campaign, Friday. “In this campaign, the attackers sent targeted phishing emails inwards the cast of mistaken MYOB invoice messages amongst invoice links pointing to compromised FTP servers hosting the DanaBot malware.”

Karl Sigler, threat tidings managing director SpiderLabs at Trustwave, told Threatpost that criminals probable purchased or possibly generated their ain listing of probable MYOB customers. “Given how much information people portion publicly, peculiarly on social networks, these lists are non difficult to come upwards by,” he said. Trustwave didn’t bring whatsoever information well-nigh how many victims specifically were targeted past times the campaign.

DanaBot Banking Trojan contains 4 modules dll – VNC, dll – Stealer, dll – Sniffer in addition to dll – TOR that enables extract the sensitive details from customers, establishing a covert communication channel in addition to to command a remote host via VNC.