DanaBot Banking Trojan Found Targeting European Countries

Security researchers from ESET recently discovered a banking trojan named DanaBot (detected by Trend Micro as TROJ_BANLOAD.THFOAAH) being distributed to European countries via spam emails. Here’s what you need to know about this threat, how users and businesses can defend against it, and how managed detection and response can help address this threat. 

What is DanaBot?

DanaBot is a banking trojan, written in Delphi programming language, capable of stealing credentials and hijacking infected systems. It is distributed via spam emails masquerading as invoices with malicious attachment that, when executed, abuses PowerShell — a legitimate system administration tool — and Visual Basic scripts (VBScript) called BrushaLoader to retrieve and execute its modules. 

When it was first discovered, DanaBot used Word documents embedded with malicious macro that, once enabled, downloads DanaBot via PowerShell. Security researchers noted that the use of BrushaLoader in recent spam campaigns was a recent addition, and that DanaBot itself underwent updates.

[RELATED NEWS: Evolving Trickbot adds detection evasion and screen-locking features]

What is DanaBot’s impact so far?

DanaBot was first seen being distributed to Australian users via spam with a malicious Word document that claims the user is “protected” by a security company. DanaBot’s command-and-control (C&C) server first checks the affected system’s IP address, and delivers the banking trojan if it is located in Australia.

DanaBot’s operators have since expanded their targets. The recent spam campaigns are now being distributed to European countries, particularly Austria, Germany, Italy, Poland, and Ukraine. While the missives still pose as invoices, PowerShell and BrushaLoader are used to download DanaBot’s various components.

[Trend Micro 2018 Midyear Security Roundup: Fileless, macro and small-sized malware challenges purely file-based security technologies]

DanaBot is notable for its multistage infection chain and modular architecture. Prior research from Trustwave, along with ESET's new research, identifies DanaBot as comprising several components — mostly as dynamic-link libraries (DLL) — that perform separate functions. The identified plug-ins steal credentials from various applications, functions as RDP (Remote Desktop Protocol) to other Windows-based computers, injects scripts to browsers, among others.

[Best Practices: InfoSec Guide: Web Injections]

How can users and businesses defend against DanaBot?

While modular malware isn’t new, it can pose significant risks given its stealthy nature. In fact, this technique is increasingly used by botnets, other information and file stealers, Android malware, point-of-sale (PoS) malware, and even cyberespionage campaigns. Modular malware can be difficult to detect. For instance, a module can be programmed to terminate or not work without running another, so a malware component can dwell within an affected system for a long time until it is executed. Attackers can also program a module to self-execute and not rely on other components. In this case, a malware can execute information theft while letting its other components that have other functionalities remain hidden. Uncovering a component doesn’t guarantee others can be found either.

Defending against modular malware like DanaBot requires a multilayered approach. Here are some best practices:

  • Secure the use of remote access functionalities like remote desktops, which information/data stealers like banking trojans use to hijack other machines, or as vectors that ransomware can use to reinfect a system.
  • Keep the systems, networks, servers, and gateways patched and the applications up-to-date.
  • Employ authentication and authorization mechanisms to mitigate attacks that may use leaked or stolen credentials.
  • Restrict or secure the use of system administration tools that today’s threats are increasingly abusing to evade detection.
  • Install additional layers of security such as application control, which prevents unknown or suspicious executables or applications from running; and behavior monitoring, which blocks unusual modifications to the system or software installed on it.
  • Proactively monitor the network for any suspicious activity, such as C&C communication, data exfiltration, and lateral movement.

[READ: Data Breaches Highlight the Need for Managed Detection and Response]

How can managed detection and response help address this threat?

Ideally, businesses should have the necessary security mechanisms in place to defend against stealthy threats, but enterprises may find it arduous given budget constraints (like in hiring or retaining security specialists) or the worsening cybersecurity skills gap. A security strategy that enterprises can consider is using managed detection and response (MDR), which provides comprehensive threat hunting services and access to security specialists that can help enterprises investigate, proactively respond to, and remediate from evasive threats.

For example, detecting or blocking a modular malware’s component doesn’t ensure that its other plug-ins can be found. In a modular PoS malware like FastPOS, for instance, its random access memory-scraping module (RAM) can run as a service separately, and may be easier to remove. However, it may be difficult to detect its keylogging module if it injects its code into a legitimate process. It takes a proactive approach to identify where malware could be dwelling and correlate its activity — if it’s downloading additional payloads or has infected other processes, for instance. MDR provides the technology and especially the expertise needed to develop a proactive incident response and remediation strategy that can mitigate threats and cyberattacks.

Trend Micro’s managed detection and response service allows customers to investigate security alerts without the need to hire qualified incident response staff. It provides alert monitoring, alert prioritization, investigation, and threat hunting services to Trend Micro customers. By applying artificial intelligence models to customer endpoint data, network data, and server information, the service can correlate and prioritize advanced threats. Trend Micro threat researchers can investigate prioritized alerts to determine the extent and spread of the attack and work with the customer to provide a detailed remediation plan. 


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.