Friday, March 29, 2024

DanaBot Banking Trojan Evolves Again – Steals Email Address From Victim’s Mailbox

DanaBot Banking Trojan came out with new features which harvest email addresses from the victim’s mailbox and send out spam emails.

This Trojan turned out to be the latest example for the malware which focused on stealing useful information rather than demanding ransom from victims. The campaign primarily focuses on corporate and public administration emails.

DanaBot Banking Trojan Gets into Email Spam

In September 2018, ESET researchers noticed that the trojan used web injections against users of an unnamed Italian mail service.

An investigation has shown that malicious javascript embedded in the pages of webmail services fall into two categories.

First, DanaBot collects email addresses from the victim’s existing mailboxes and sends all the collected information to the C&C server.

Secondly, if the mail service is based on Open-Xchange, the Trojan injects a Javascript that covertly sends spam from the victim mailbox.

The mail attachment includes ZIP file which contains a decoy PDF document and a malicious VBS file, Once the VBS file executes, it downloads more malware using PowerShell cmd.

Code creating an email and adding a malicious ZIP attachment

This trojan includes a significant amount of junk code including instructions, conditional statements, and loops.

To prevent researchers and automated tools from easily understanding the code’s purpose, the trojan uses Windows API function hashing and encrypted strings.

ESET Researchers found that the links between DanaBot and GootKit. Matches were also noticed in the subnet of C&C servers and the strange similarity of domains used by the attacker.

Researchers said DanaBot uses exactly the same scripts that used in BackSwap trojan including the namings and locations of scripts in the server.

Check out the details about targeted webmail services, list of active C&C servers, targeted domains, IoCs which were shared by ESET.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Website

Latest articles

Beware Of Weaponized Air Force invitation PDF Targeting Indian Defense And Energy Sectors

EclecticIQ cybersecurity researchers have uncovered a cyberespionage operation dubbed "Operation FlightNight" targeting Indian government...

WarzoneRAT Returns Post FBI Seizure: Utilizing LNK & HTA File

The notorious WarzoneRAT malware has made a comeback, despite the FBI's recent efforts to...

Google Revealed Kernel Address Sanitizer To Harden Android Firmware And Beyond

Android devices are popular among hackers due to the platform’s extensive acceptance and open-source...

Compromised SaaS Supply Chain Apps: 97% of Organizations at Risk of Cyber Attacks

Businesses increasingly rely on Software as a Service (SaaS) applications to drive efficiency, innovation,...

IT and security Leaders Feel Ill-Equipped to Handle Emerging Threats: New Survey

A comprehensive survey conducted by Keeper Security, in partnership with TrendCandy Research, has shed...

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...
Vinugayathri
Vinugayathrihttps://gbhackers.com
Vinugayathri is a Senior content writer of Indusface. She has been an avid reader & writer in the tech domain since 2015. She has been a strategist and analyst of upcoming tech trends and their impact on the Cybersecurity, IoT, and AI landscape. She is a content marketer simplifying technical anomalies for aspiring Entrepreneurs.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles