DanaBot Trojan steals sensitive information of bank customers

A new phishing email campaign, DanaBot banking Trojan, has been targeting Australian customers with a fake standard MYOB-like HTML invoice template that really contains a novel banking Trojan.

MYOB is an Australian multinational corporation that provides tax, accounting and other business services software for SMBs.

With this new campaign, attackers used FTP links instead of the usual HTTP links and most of the FTP sites linked with the Australian domains points to a zip file that contains a JavaScript that downloads the final payload DanaBot malware.

The phishing email campaign contains a fake MYOB invoice that asks customers to make payment and once the customer clicks on View Invoice it downloads the zip file from the compromised server. Once downloaded, it launches a PowerShell command that downloads the final payload DanaBot multi-component banking Trojan.

The Trojan steals private and sensitive information and sends screenshots of the machine’s system and desktop to the Command and Control server.

Trustwave researchers Fahim Abbasi and Diana Lopera spotted the phishing scam.

“Cybercriminals are targeting victims in Australian companies and infecting them with sophisticated multi-stage, multi-component and stealthy banking trojans like DanaBot to steal their private and sensitive information,” said Trustwave researchers in a post about the campaign, Friday. “In this campaign, the attackers sent targeted phishing emails in the form of fake MYOB invoice messages with invoice links pointing to compromised FTP servers hosting the DanaBot malware.”

Karl Sigler, threat intelligence manager SpiderLabs at Trustwave, told Threatpost that criminals likely purchased or perhaps generated their own list of likely MYOB customers. “Given how much information people share publicly, especially on social networks, these lists are not hard to come by,” he said. Trustwave didn’t have any information about how many victims specifically were targeted by the campaign.

DanaBot Banking Trojan contains four modules dll – VNC, dll – Stealer, dll – Sniffer and dll – TOR that enables extract the sensitive details from customers, establishing a covert communication channel and to control a remote host via VNC.