Delaware, USA – October 3, 2018 — Researchers from Proofpoint discovered the first campaign to distribute DanaBot malware, which targets banks in the United States. The DanaBot banking Trojan was first discovered 5 months ago, and it only attacked Australian banks. Soon, this malware was adopted by cybercriminals attacking banks in Europe, and one of the groups that distributed Panda Trojan started using DanaBot in spam campaigns in late September. Attackers have already sent out hundreds of thousands of spam emails disguised as digital faxes containing links to a document with a malicious macro to install Hankitor dropper. Hankitor downloads and installs the Trojan and several other attackers’ tools. DanaBot is a modular malware written in Delphi, and it is capable of injecting malicious scripts into a wide variety of applications. One of its modules installs a TOR proxy and enables access to .onion websites.
Researchers have determined that at least nine groups already use this malware in their campaigns. For five months, DanaBot has acquired new modules and significant anti-analysis capabilities, which will surely attract the attention of more cybercriminal groups. The malware is mainly distributed through spam campaigns, but one of the groups uses Fallout Exploit Kit. You can spot the Trojan operation using SIEM and APT Framework rule pack: https://my.socprime.com/en/integrations/apt-framework-hpe-arcsight
You can also use DetectTor rule pack to uncover its communications with C&C servers via Tor anonymity network: https://my.socprime.com/en/integrations/detecttor-hpe-arcsight