Danabot Phishing Scam

December 27, 2018
Danabot Phishing Scam

Yet another sensational Phishing operation has been identified, and is targeting users with bogus bill statements from MYOB. MYOB (Mind Your Own Business) is a multinational corporation based in Australia. They provide taxation, accounting and other similar business services software to small and medium businesses. So its primary concentration of targets is of course, in Australia. Here’s the catch, the fake statements contain a familiar banking trojan called, DanaBot.

DanaBot is a trojan specifically engineered for bank hacking. It was discovered by Proofpoint analysts just a couple of months ago, also in Australia. It’s function is to deliberately steal sensitive user information, useful for monetary purposes. According to experts in Proofpoint, the trojan’s characteristic enables it to acquire additional components, thus increasing its overall capability in identifying and stealing information.

The malware itself is written in Delphi, a results-driven language designed for instant application enhancements of desktop systems, mobile, web and proprietary console software. Technically it is still under development.

Prior to this attack, only one notable incident of malicious usage was recorded using this trojan, a threat actor identified only as TA547. It was alleged that this threat actor bought malwares designed for banking from other threat actors and developers. These collection of Malwares included Mazer Bot, Atmos, Red Alert Android and Goot Kit. Email clients like Outlook, Windows Live and some instant messenger applications are its major targets. The targets were mostly countries from Europe, and now Australia.

The way it works is by releasing a downloader file onto the local disk and executes it instantly. The downloader’s purpose is to copy a Master DLL (Dynamic Link Library) that includes malicious codes and data, designed to be used by multiple programs simultaneously. The Master DLL includes an encrypted host of remote programs, a sniffer, a stealer and TOR. In other words, the trojan enables the attacker to takeover the host via its remote application, thus enabling them to locate (sniffer) and snip (stealer) sensitive information without being detected using TOR.

Although not yet confirmed, experts are speculating that the Malware is probably being hosted in a controlled infrastructure and its domain configured with multiple IP addresses to keep the traffic rotating. They’ve also stated that the infrastructure supporting this malware is more likely to have state of the art encryption and robust functionality. It means that this malware is going to be a real serious threat and we all need to be ready for it. There are some basic steps we can do to prevent this malware from spreading – One, do not open email messages from unknown and unreliable sources. Tag them as spam right away. Two, Remove / uninstall unknown browser extensions and add-ons. They could be loopholes for attackers to invade. Lastly, always update your security software (AV, Firewall, Malware scanners). Nothing beats them like a secure system.

About the author

Leave a Reply