Delaware, USA – June 21, 2019 – Another phishing campaign with the upgraded DanaBot trojan is reported to target Poland and Italy. The new DanaBot strain comes with a Blitzkrieg ransomware module that changes the extension of the encrypted files to .non.
Initially, the DanaBot malware was observed during the phishing campaign in Australia back in the year 2018. The distributed Word document contained a macro that once enabled gave the way to DanaBot that was downloaded with a PowerShell command. Another DanaBot targeted campaign was observed in the United States the same year, and based on the C2 (command and control) servers and the malware’s communication analysis the researchers of Proofpoint suggested that it would be an attractive tool for numerous actors that implies an expansion of the targeted victims and development.
The recently detected DanaBot strain has a number of capabilities like requesting updates from the C&C server, providing remote control via RDP or VNC and running a proxy on an infected machine, etc. The added Blitzkrieg ransomware makes things lively for the victims by clearing EventLog and Recycle Bin, stopping services and disabling Windows Defender among others.
Although malware distributed through spam campaigns with a macro containing document is nearly always looking suspicious, double check the security of your company’s infrastructure: spot the Trojan operation with SIEM and APT Framework rule pack: https://my.socprime.com/en/integrations/apt-framework-hpe-arcsight
Also use DetectTor rule pack to uncover the malware’s communications with its C&C servers via Tor network: https://my.socprime.com/en/integrations/detecttor-hpe-arcsight