Monday, November 4, 2024
HomeMalwareDanaBot Banking Trojan Emerges Again With New Features Steals Banking Credentials

DanaBot Banking Trojan Emerges Again With New Features Steals Banking Credentials

Published on

Malware protection

DanaBot Banking Trojan was discovered earlier this year by Proofpoint, targeting users in Australia through continuous malicious email campaigns, later it expands to Poland, Italy, Germany, Austria.

It is a banking Trojan developed in Delphi language, it has a multi-stage and multi-component architecture, most of their functionalities depends on the plugins added to it. The threat actors behind DanaBot Banking Malware continuously adding new features to it.

New Campaign – DanaBot Banking Trojan

With this new active ongoing campaign DanaBot targeting users in Poland, according to ESET research, this “new campaign is the largest and most active campaign to date.”

- Advertisement - SIEM as a Service

The malicious email campaign contains invoices posing to be from various companies, the campaign uses a combination of PowerShell and VBS scripts, following are the plugins found with the new campaign.

VNC plug-in – To establish a remote connection.

Sniffer plug-in – to injects malicious scripts to victim browser, usually while visiting internet banking sites.

Stealer plug-in – harvests credentials (browsers, FTP clients, VPN clients, chat and email programs, poker programs etc.).

TOR plug-in – installs a TOR proxy and enables access to .onion websites.

With the previous August campaign, the DanaBot developers added TOR plug-in to create a covert communication channel and with this new September campaign the threat actors behind DanaBot VNC plug-in that enables remote access to the victim’s machine.

Researchers said starting September smaller campaigns targeting banks in Italy, Germany, and Austria, on September 8, 2018, ESET discovered a new DanaBot campaign targeting Ukrainian users. According to the telemetry data, Danabot detection ratio spiked between the month of August and September.
DanaBot Banking Trojan

ESET published a detailed list of Targeted domains, Targeted software, Targeted cryptocurrency wallets, configuration script, IoCs, hashes and plugins used.

Related Read

Malware Abuse Google Ads to Injecting Coinhive Cryptocurrency Miner

Chinese Threat Actors Rocke Launching Sophisticated Crypto-mining Malware to Mine Monero Cryptocurrency

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Threat Actors Allegedly Claiming Leak of Dell Partner Portal Data

A well-known dark web forum threat actor allegedly claimed responsibility for leaking data from...

Securing Your SaaS Application Security

The rapid growth of cloud computing has made SaaS applications indispensable across industries. While...

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Notorious WrnRAT Delivered Mimic As Gambling Games

WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling...