Categories: Malware

DanaBot Banking Trojan Steal Private and Sensitive Information

A new phishing email campaign targeting Australian customers with a fake standard MYOB-like HTML invoice template that contains FTP links pointed to compromised servers.

With this new campaign, attackers used FTP links instead of the usual HTTP links and most of the FTP sites linked with the Australian domains.

The FTP links points to a zip file that contains a JavaScript that downloads the final payload DanaBot malware.

Trustwave researchers Fahim Abbasi and Diana Lopera spotted the phishing scam targeting Australian customers of MYOB.

Phishing Email Campaign

The phishing email campaign contains a fake MYOB invoice that asks customers to make payment and once the customer clicks on View Invoice it downloads the zip file from the compromised server.

The Download zip archive contains JavaScript (JS) downloader that requires users to execute it, once executed it launches a PowerShell command that downloads the final payload DanaBot multi-component banking Trojan.

DanaBot Banking Trojan contains four modules dll – VNC, dll – Stealer, dll – Sniffer and dll – TOR that enables extract the sensitive details from customers, establishing a covert communication channel and to control a remote host via VNC.

According to Trustwave researchers “the infrastructure supporting the malware is designed to be flexible while the malware is designed to be modular with functionality spread across multiple components that are heavily encrypted.”

You can find the Analysis report and IoCs in Trustwave blog post.

Also Read

Hackers can Bypass Two-Factor Authentication with Phishing Attack

Facebook’s New Tool to Detect and Alert Website Owners About Phishing Attacks

Cyber Attack Prevention Checklist to Keep Your Business Safe & Secure From Hackers

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…

11 hours ago

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced…

11 hours ago

XSS Vulnerability in Bing.com Let Attackers Send Crafted Malicious Requests

A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to execute…

14 hours ago

Meta Removed 2 Million Account Linked to Malicious Activities

 Meta has announced the removal of over 2 million accounts connected to malicious activities, including…

17 hours ago

Veritas Enterprise Vault Vulnerabilities Lets Attackers Execute Arbitrary Code Remotely

Critical security vulnerability has been identified in Veritas Enterprise Vault, a widely-used archiving and content…

18 hours ago

7-Zip RCE Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been disclosed in the popular file archiving tool 7-Zip, allowing…

18 hours ago