• Guest
HabraHabr
  • Main
  • Users

  • Development
    • Programming
    • Information Security
    • Website development
    • JavaScript
    • Game development
    • Open source
    • Developed for Android
    • Machine learning
    • Abnormal programming
    • Java
    • Python
    • Development of mobile applications
    • Analysis and design of systems
    • .NET
    • Mathematics
    • Algorithms
    • C#
    • System Programming
    • C++
    • C
    • Go
    • PHP
    • Reverse engineering
    • Assembler
    • Development under Linux
    • Big Data
    • Rust
    • Cryptography
    • Entertaining problems
    • Testing of IT systems
    • Testing Web Services
    • HTML
    • Programming microcontrollers
    • API
    • High performance
    • Developed for iOS
    • CSS
    • Industrial Programming
    • Development under Windows
    • Image processing
    • Compilers
    • FPGA
    • Professional literature
    • OpenStreetMap
    • Google Chrome
    • Data Mining
    • PostgreSQL
    • Development of robotics
    • Visualization of data
    • Angular
    • ReactJS
    • Search technologies
    • Debugging
    • Test mobile applications
    • Browsers
    • Designing and refactoring
    • IT Standards
    • Solidity
    • Node.JS
    • Git
    • LaTeX
    • SQL
    • Haskell
    • Unreal Engine
    • Unity3D
    • Development for the Internet of things
    • Functional Programming
    • Amazon Web Services
    • Google Cloud Platform
    • Development under AR and VR
    • Assembly systems
    • Version control systems
    • Kotlin
    • R
    • CAD/CAM
    • Customer Optimization
    • Development of communication systems
    • Microsoft Azure
    • Perfect code
    • Atlassian
    • Visual Studio
    • NoSQL
    • Yii
    • Mono и Moonlight
    • Parallel Programming
    • Asterisk
    • Yandex API
    • WordPress
    • Sports programming
    • Lua
    • Microsoft SQL Server
    • Payment systems
    • TypeScript
    • Scala
    • Google API
    • Development of data transmission systems
    • XML
    • Regular expressions
    • Development under Tizen
    • Swift
    • MySQL
    • Geoinformation services
    • Global Positioning Systems
    • Qt
    • Dart
    • Django
    • Development for Office 365
    • Erlang/OTP
    • GPGPU
    • Eclipse
    • Maps API
    • Testing games
    • Browser Extensions
    • 1C-Bitrix
    • Development under e-commerce
    • Xamarin
    • Xcode
    • Development under Windows Phone
    • Semantics
    • CMS
    • VueJS
    • GitHub
    • Open data
    • Sphinx
    • Ruby on Rails
    • Ruby
    • Symfony
    • Drupal
    • Messaging Systems
    • CTF
    • SaaS / S+S
    • SharePoint
    • jQuery
    • Puppet
    • Firefox
    • Elm
    • MODX
    • Billing systems
    • Graphical shells
    • Kodobred
    • MongoDB
    • SCADA
    • Hadoop
    • Gradle
    • Clojure
    • F#
    • CoffeeScript
    • Matlab
    • Phalcon
    • Development under Sailfish OS
    • Magento
    • Elixir/Phoenix
    • Microsoft Edge
    • Layout of letters
    • Development for OS X
    • Forth
    • Smalltalk
    • Julia
    • Laravel
    • WebGL
    • Meteor.JS
    • Firebird/Interbase
    • SQLite
    • D
    • Mesh-networks
    • I2P
    • Derby.js
    • Emacs
    • Development under Bada
    • Mercurial
    • UML Design
    • Objective C
    • Fortran
    • Cocoa
    • Cobol
    • Apache Flex
    • Action Script
    • Joomla
    • IIS
    • Twitter API
    • Vkontakte API
    • Facebook API
    • Microsoft Access
    • PDF
    • Prolog
    • GTK+
    • LabVIEW
    • Brainfuck
    • Cubrid
    • Canvas
    • Doctrine ORM
    • Google App Engine
    • Twisted
    • XSLT
    • TDD
    • Small Basic
    • Kohana
    • Development for Java ME
    • LiveStreet
    • MooTools
    • Adobe Flash
    • GreaseMonkey
    • INFOLUST
    • Groovy & Grails
    • Lisp
    • Delphi
    • Zend Framework
    • ExtJS / Sencha Library
    • Internet Explorer
    • CodeIgniter
    • Silverlight
    • Google Web Toolkit
    • CakePHP
    • Safari
    • Opera
    • Microformats
    • Ajax
    • VIM
  • Administration
    • System administration
    • IT Infrastructure
    • *nix
    • Network technologies
    • DevOps
    • Server Administration
    • Cloud computing
    • Configuring Linux
    • Wireless technologies
    • Virtualization
    • Hosting
    • Data storage
    • Decentralized networks
    • Database Administration
    • Data Warehousing
    • Communication standards
    • PowerShell
    • Backup
    • Cisco
    • Nginx
    • Antivirus protection
    • DNS
    • Server Optimization
    • Data recovery
    • Apache
    • Spam and antispam
    • Data Compression
    • SAN
    • IPv6
    • Fidonet
    • IPTV
    • Shells
    • Administering domain names
  • Design
    • Interfaces
    • Web design
    • Working with sound
    • Usability
    • Graphic design
    • Design Games
    • Mobile App Design
    • Working with 3D-graphics
    • Typography
    • Working with video
    • Work with vector graphics
    • Accessibility
    • Prototyping
    • CGI (graphics)
    • Computer Animation
    • Working with icons
  • Control
    • Careers in the IT industry
    • Project management
    • Development Management
    • Personnel Management
    • Product Management
    • Start-up development
    • Managing the community
    • Service Desk
    • GTD
    • IT Terminology
    • Agile
    • Business Models
    • Legislation and IT-business
    • Sales management
    • CRM-systems
    • Product localization
    • ECM / EDS
    • Freelance
    • Venture investments
    • ERP-systems
    • Help Desk Software
    • Media management
    • Patenting
    • E-commerce management
    • Creative Commons
  • Marketing
    • Conferences
    • Promotion of games
    • Internet Marketing
    • Search Engine Optimization
    • Web Analytics
    • Monetize Web services
    • Content marketing
    • Monetization of IT systems
    • Monetize mobile apps
    • Mobile App Analytics
    • Growth Hacking
    • Branding
    • Monetize Games
    • Display ads
    • Contextual advertising
    • Increase Conversion Rate
  • Sundry
    • Reading room
    • Educational process in IT
    • Research and forecasts in IT
    • Finance in IT
    • Hakatonas
    • IT emigration
    • Education abroad
    • Lumber room
    • I'm on my way

Bank Trojan DanaBot attacks users in Europe

Recently we recorded a surge in the activity of the banking Trojan DanaBot, discovered earlier this year. Malicious software was originally used in attacks aimed at Australia, then the operators switched to Poland and expanded geography - now we are seeing campaigns in Italy, Germany, Austria, and in September 2018 in Ukraine.
 
 
DanaBot is a banking Trojan with a modular architecture, first described Proofpoint in May 2018 after being found in spam campaigns in Australia. The Trojan is written in Delphi, has a multi-component and multi-stage architecture, most of the functions are implemented as plug-ins. At the time of the first detection, the malicious program was at the stage of active development.
 
 
Bank Trojan DanaBot attacks users in Europe  
 
Polish users. According to our research, this attack continues to this day and remains the most ambitious and active at the moment. To compromise victims, operators use emails that mimic bills from various companies (see the figure below). A combination of PowerShell scripts and VBS, known as <{full}>
Recently we recorded a surge in the activity of the banking Trojan DanaBot, discovered earlier this year. Malicious software was originally used in attacks aimed at Australia, then the operators switched to Poland and expanded geography - now we are seeing campaigns in Italy, Germany, Austria, and in September 2018 in Ukraine.
 
 
DanaBot is a banking Trojan with a modular architecture, first described Proofpoint in May 2018 after being found in spam campaigns in Australia. The Trojan is written in Delphi, has a multi-component and multi-stage architecture, most of the functions are implemented as plug-ins. At the time of the first detection, the malicious program was at the stage of active development.
 
 
 
 
Polish users. According to our research, this attack continues to this day and remains the most ambitious and active at the moment. To compromise victims, operators use emails that mimic bills from various companies (see the figure below). A combination of PowerShell scripts and VBS, known as <{full}> ? is used. Brushaloader
.
 
 
 
Figure 1. A sample of a spam mail from the DanaBot campaign in Poland in September 2018
 
 
In early September, ESET specialists opened several smaller campaigns aimed at banks in Italy, Germany and Austria. The same pattern of trojan distribution as in the Polish campaign was used. In addition to this development, on September ? 201? ESET launched a new DanaBot attack targeting Ukrainian users. The software and sites used in these attacks are listed at the end of the post.
 
 
The figure below shows a sharp increase in the number of DanaBot detections in late August and September 201? according to ESET telemetry data.
 
 
 
Figure 2. Detection of DanaBot by ESET products during the last two months
 
 

Modification of plugins


 
DanaBot has a modular architecture. At the heart of most of its functions are plugins.
 
The following plugins were are mentioned. as part of a campaign aimed at Australian users, in May 2018:
 
 
- VNC - establishes a connection to the victim's computer and remotely controls it;
 
- Sniffer - introduces a malicious script into the browser of the victim, usually when visiting banking sites;
 
- Stealer - collects passwords from a wide range of applications (browsers, FTP clients, VPN clients, chat rooms and e-mail clients, online poker, etc.);
 
- TOR - installs a TOR proxy and provides access to .onion sites.
 
 
According to our research, the attackers made changes to the DanaBot plug-ins after the previously described campaigns.
 
 
In August 201? attackers began using the TOR plugin to update the list of C & C servers with y7zmcwurl6nphcve.onion. This plug-in can potentially be used to create a hidden communication channel between the attacker and the victim, although so far we have no evidence of such use.
 
 
In addition, the attackers added to the list of Stealer plug-ins 64-bit version compiled on August 2? 201? expanding the list of software, which potentially could be targeted by the attack DanaBot.
 
 
Finally, in early September 201? an RDP plug-in was added. It is based on the project RDPWrap with open source, providing a connection to the remote desktop on Windows-machines, which usually do not support it.
 
 
There are several reasons why DanaBot developers added another plug-in for remote access, in addition to VNC. First, the RDP protocol is less likely to be blocked by firewalls. Secondly, RDPWrap allows multiple users to simultaneously use the same computer, which allows attackers to perform reconnaissance while the victim is using the machine.
 
 

Conclusion


 
We found out that DanaBot is still actively used and developing, and recently it is being tested in Europe. The new features that appeared in the latest campaigns indicate that DanaBot operators continue to use the modular architecture to increase coverage and performance.
 
 
ESET products detect and block all components and plug-ins DanaBot.
 
 

Software


 
Targeted software in European campaigns
 
* electrum * .exe *
 
* electron * .exe *
 
* expanse * .exe *
 
* bitconnect * .exe *
 
* coin-qt - *. exe *
 
* ethereum * .exe *
 
* -qt.exe *
 
* zcash * .exe *
 
* klient * .exe *
 
* comarchcryptoserver * .exe *
 
* cardserver * .exe *
 
* java * .exe *
 
* jp2launcher * .exe *

 
 
Targeted software in the Ukrainian campaign
 
 
Since September ? 201? the DanaBot campaign is aimed at the following corporate banking software and remote access tools:
 
* java * .exe *
 
* jp2launcher * .exe *
 
* srclbclient * .exe *
 
* mtbclient * .exe *
 
* start.corp2 * .exe *
 
* javaw. * exe *
 
* node * .exe *
 
* runner * .exe *
 
* ifobsclient * .exe *
 
* bank * .exe *
 
* cb193w * .exe *
 
* clibankonlineen * .exe *
 
* clibankonlineru * .exe *
 
* clibankonlineua * .exe *
 
* eximclient * .exe *
 
* srclbclient * .exe *
 
* vegaclient * .exe *
 
* mebiusbankxp * .exe *
 
* pionner * .exe *
 
* pcbank * .exe *
 
* qiwicashier * .exe *
 
* tiny * .exe *
 
* upp_4 * .exe *
 
* stp * .exe *
 
* viewpoint * .exe *
 
* acdterminal * .exe *
 
* chiefterminal * .exe *
 
* cc * .exe *
 
inal * .exe *
 
* uniterm * .exe *
 
* cryptoserver * .exe *
 
* fbmain * .exe *
 
* vncviewer * .exe *
 
* radmin * .exe *

 
 

Target Domains


 
Note that the configuration uses wildcard characters, so the list contains only portals that can be identified.
 
 
Italy
 
- credem.it
 
- bancaeuro.it
 
- csebo.it
 
- inbank.it
 
- bancopostaimpresaonline.poste.it
 
- bancobpm.it
 
- bancopopolare.it
 
- ubibanca.com
 
- icbpi.it
 
- bnl.it
 
- banking4you.it
 
- bancagenerali.it
 
- ibbweb.tecmarket.it
 
- gruppocarige.it
 
- finecobank.com
 
- gruppocarige.it
 
- popso.it
 
- bpergroup.net
 
- credit-agricole.it
 
- cariparma.it
 
- chebanca.it
 
- creval.it
 
- bancaprossima.com
 
- intesasanpaoloprivatebanking.com
 
- intesasanpaolo.com
 
- hellobank.it

 
 
Germany
 
- bv-activebanking.de
 
- commerzbank.de
 
- sparda.de
 
- comdirect.de
 
- deutsche-bank.de
 
- berliner-bank.de
 
- norisbank.de
 
- targobank.de

 
 
Austria
 
- sparkasse.at
 
- raiffeisen *. at
 
- bawagpsk.com

 
 
Ukraine
 
 
Domains added on September 1? 2018:
 
- bank.eximb.com
 
- oschadbank.ua
 
- client-bank.privatbank.ua

 
 
Domains added on September 1? 2018:
 
- online.pumb.ua
 
- creditdnepr.dp.ua

 
 
Web mail
 
- mail.vianova.it
 
- mail.tecnocasa.it
 
- MDaemon Webmail
 
- email.it
 
- outlook.live.com
 
- mail.one.com
 
- tim.it
 
- mail.google
 
- tiscali.it
 
- roundcube
 
- horde
 
- webmail * .eu
 
- webmail * .it

 
 
Crypto-currency wallets
 
* wallet.dat *
 
* default_wallet *

 
 
Examples of the configuration of campaigns in Poland, Italy, Germany and Austria
 
 
 

Indicators of infection


 
Servers used by DanaBot
 
 
Please note that Active means the presence of malicious content as of September 2? 2018.
 
 
???.69 (Active)
 
???.180 (Active)
 
???.138 (Active)
 
???.198 (Active)
 
???.227 (Active)
 
???.232 (Active)
 
???.220 (Active)
 
???.252 (Active)
 
???.25 (Inactive)
 
???.131 (Inactive)
 
???.47 (Inactive)
 
???.214 (Inactive)
 
???.225 (Inactive)
 
???.102 (Inactive)
 
???.103 (Active)
 
???.104 (Active)
 
???.109 (Inactive)
 
???.110 (Active)
 
???.111 (Active)
 
???.112 (Active)
 
???.114 (Inactive)
 
???.116 (Active)
 
???.117 (Inactive)
 
???.105 (Active)
 
???.204 (Active)
 
???.64 (Active)

 
 
Examples of hashes are
 
Note that new assemblies of major components are released approximately every 15 minutes - that is, not the latest available hashes can be listed here.
 
 
The vector of infection in Europe: 782ADCF9EF6E479DEB31FCBD37918C5F74CE3CAE (VBS /TrojanDownloader.Agent.PYC)
 
The vector of infection in Ukraine is: 79F1408BC9F1F2AB43FA633C9EA8EA00BA8D15E8 (JS /TrojanDropper.Agent.NPQ)
 
Droper: 70F9F030BA20E219CF0C92CAEC9CB56596F21D50 (Win32 /TrojanDropper.Danabot.I)
 
Downloader: AB0182423DB78212194EE773D812A5F8523D9FFD (Win32 /TrojanDownloader.Danabot.I)
 
The main module (x86): EA3651668F5D14A2F5CECC0071CEB85AD775872C (Win32 /Spy.Danabot.F)
 
The main module (x64): 47DC9803B9F6D58CF06BDB49139C7CEE037655FE (Win64 /Spy.Danabot.C)
 
 
Plugins
 
 
RDP: C31B02882F5B8A9526496B06B66A5789EBD476BE (Win32 /Spy.Danabot.H)
 
Stealer (x86): 3F893854EC2907AA45A48FEDD32EE92671C80E8D (Win32 /Spy.Danabot.C)
 
Stealer (x64): B93455B1D7A8C57F68A83F893A4B12796B1E636C (Win64 /Spy.Danabot.E)
 
Sniffer: DBFD8553C66275694FC4B32F9DF16ADEA74145E6 (Win32 /Spy.Danabot.B)
 
VNC: EBB1507138E28A451945CEE1D18AEDF96B5E1BB2 (Win32 /Spy.Danabot.D)
 
TOR: 73A5B0BEE8C9FB4703A206608ED277A06AA1E384 (Win32 /Spy.Danabot.G)

It may be interesting

  • Comments
  • About article
  • Similar news
This publication has no comments.

weber

Author

25-09-2018, 22:14

Publication Date

Administration / Antivirus protection

Category
  • Comments: 0
  • Views: 431
Security Week 50: forecasts for 2019
Security Week 48: Black Friday Hacking
How open APIs of banks change the
ESET discovered the BackSwap bailor
Operation Orangeworm: hackers infect
Disruption of a large-scale hacker
Write a comment
Name:*
E-Mail:


Comments
Buy the best Natural Hand-Carved Human Head stone skull at soulcharms for chakra balancing, reiki energy healing, meditation, yoga, stress, anxiety depression
Today, 20:22

raymond weber

Nice post! This is a very nice blog that I will definitively come back to more times this year! Thanks for informative post.Torrance Tax Accountant

Today, 15:51

raymond weber

Someone Sometimes with visits your blog regularly and recommended it in my experience to read as well. The way of writing is excellent and also the content is top-notch. Thanks for that insight you provide the readers! 123movies websites 
Today, 15:21

Legend SEO

Extremely intriguing online journal. A lot of web journals I see nowadays don't generally give anything that I'm keen on, however I'm most definitely inspired by this one. Recently felt that I would post and let you know.먹튀

Today, 15:14

raymond weber

Man's lives, such as uncontrolled huge amounts, definitely not while countries furthermore reefs, challenging to seismic disturbance upward perfect apply. เมล็ด กาแฟ คั่ว
Today, 14:54

nushra45

Adv
Website for web developers. New scripts, best ideas, programming tips. How to write a script for you here, we have a lot of information about various programming languages. You are a webmaster or a beginner programmer, it does not matter, useful articles will help to make your favorite business faster.

Login

Registration Forgot password