DanaBot Follows the Pass of Emotet and Trickbot Malware

Delaware, USA – August 16, 2019 – DanaBot banking Trojan continues to attack European countries. Webroot discovered a new campaign that targeted German users. DanaBot appeared about a year and a half ago, and in the first months, all campaigns were aimed only at Australia. In the fall, malware authors entered the world market, several groups operating in Europe and North America adopted this trojan and began to distribute it via spam emails and exploit kits. A few months ago, when groups operating in Italy and Poland started attacks using this malware, researchers discovered new downloadable DanaBot module infecting victims with Blitzkrieg ransomware, which cleared EventLog, stopped services, and disabled Windows Defender. Researchers noted that the ransomware module has not yet been detected in attacks on Germany, but they spotted that web injection functions have been improved. Now Trojan performs operating system and browser fingerprinting to ensure the victim is on the proper fake website.

Since its inception, DanaBot has been “overgrown” with modules and improvements providing attackers worldwide with a powerful tool for cyber attacks. Despite the recent improvement in its original banking trojan features, DanaBot is also capable of downloading the necessary modules from the command-and-control server, communicating with C&C infrastructure via Tor anonymity network and providing remote control via RDP or VNC. Researchers theorize that with such broad functionality, malware will soon follow the path of its “older brothers” – Emotet, QakBot, and Trickbot. Attackers can use the trojan for reconnaissance and then deliver ransomware to high-profile targets, as large-scale infections with Megacortex and Ryuk ransomware. To detect such attacks, you can use your SIEM and Ransomware Hunter rule pack: https://my.socprime.com/en/integrations/ransomware-hunter-hpe-arcsight

Also in the Threat Detection Marketplace is available DetectTor rule pack, which helps to spot any connections to the Tor network: https://my.socprime.com/en/integrations/detecttor-hpe-arcsight