Recently we recorded a surge in the activity of the banking Trojan DanaBot, discovered earlier this year. Malicious software was originally used in attacks aimed at Australia, then the operators switched to Poland and expanded geography - now we are seeing campaigns in Italy, Germany, Austria, and in September 2018 in Ukraine.
 
 
DanaBot is a banking Trojan with a modular architecture, first described Proofpoint in May 2018 after being found in spam campaigns in Australia. The Trojan is written in Delphi, has a multi-component and multi-stage architecture, most of the functions are implemented as plug-ins. At the time of the first detection, the malicious program was at the stage of active development.
 
 
 
 
Polish users. According to our research, this attack continues to this day and remains the most ambitious and active at the moment. To compromise victims, operators use emails that mimic bills from various companies (see the figure below). A combination of PowerShell scripts and VBS, known as <{full}>
Recently we recorded a surge in the activity of the banking Trojan DanaBot, discovered earlier this year. Malicious software was originally used in attacks aimed at Australia, then the operators switched to Poland and expanded geography - now we are seeing campaigns in Italy, Germany, Austria, and in September 2018 in Ukraine.
 
 
DanaBot is a banking Trojan with a modular architecture, first described Proofpoint in May 2018 after being found in spam campaigns in Australia. The Trojan is written in Delphi, has a multi-component and multi-stage architecture, most of the functions are implemented as plug-ins. At the time of the first detection, the malicious program was at the stage of active development.
 
 
 
 
Polish users. According to our research, this attack continues to this day and remains the most ambitious and active at the moment. To compromise victims, operators use emails that mimic bills from various companies (see the figure below). A combination of PowerShell scripts and VBS, known as <{full}> ? is used. Brushaloader
.
 
 
 
Figure 1. A sample of a spam mail from the DanaBot campaign in Poland in September 2018
 
 
In early September, ESET specialists opened several smaller campaigns aimed at banks in Italy, Germany and Austria. The same pattern of trojan distribution as in the Polish campaign was used. In addition to this development, on September ? 201? ESET launched a new DanaBot attack targeting Ukrainian users. The software and sites used in these attacks are listed at the end of the post.
 
 
The figure below shows a sharp increase in the number of DanaBot detections in late August and September 201? according to ESET telemetry data.
 
 
 
Figure 2. Detection of DanaBot by ESET products during the last two months
 
 

Modification of plugins

 
DanaBot has a modular architecture. At the heart of most of its functions are plugins.
 
The following plugins were are mentioned. as part of a campaign aimed at Australian users, in May 2018:
 
 
- VNC - establishes a connection to the victim's computer and remotely controls it;
 
- Sniffer - introduces a malicious script into the browser of the victim, usually when visiting banking sites;
 
- Stealer - collects passwords from a wide range of applications (browsers, FTP clients, VPN clients, chat rooms and e-mail clients, online poker, etc.);
 
- TOR - installs a TOR proxy and provides access to .onion sites.
 
 
According to our research, the attackers made changes to the DanaBot plug-ins after the previously described campaigns.
 
 
In August 201? attackers began using the TOR plugin to update the list of C & C servers with y7zmcwurl6nphcve.onion. This plug-in can potentially be used to create a hidden communication channel between the attacker and the victim, although so far we have no evidence of such use.
 
 
In addition, the attackers added to the list of Stealer plug-ins 64-bit version compiled on August 2? 201? expanding the list of software, which potentially could be targeted by the attack DanaBot.
 
 
Finally, in early September 201? an RDP plug-in was added. It is based on the project RDPWrap with open source, providing a connection to the remote desktop on Windows-machines, which usually do not support it.
 
 
There are several reasons why DanaBot developers added another plug-in for remote access, in addition to VNC. First, the RDP protocol is less likely to be blocked by firewalls. Secondly, RDPWrap allows multiple users to simultaneously use the same computer, which allows attackers to perform reconnaissance while the victim is using the machine.
 
 

Conclusion

 
We found out that DanaBot is still actively used and developing, and recently it is being tested in Europe. The new features that appeared in the latest campaigns indicate that DanaBot operators continue to use the modular architecture to increase coverage and performance.
 
 
ESET products detect and block all components and plug-ins DanaBot.
 
 

Software

 
Targeted software in European campaigns
 
* electrum * .exe *
 
* electron * .exe *
 
* expanse * .exe *
 
* bitconnect * .exe *
 
* coin-qt - *. exe *
 
* ethereum * .exe *
 
* -qt.exe *
 
* zcash * .exe *
 
* klient * .exe *
 
* comarchcryptoserver * .exe *
 
* cardserver * .exe *
 
* java * .exe *
 
* jp2launcher * .exe *
 
 
Targeted software in the Ukrainian campaign
 
 
Since September ? 201? the DanaBot campaign is aimed at the following corporate banking software and remote access tools:
 
* java * .exe *
 
* jp2launcher * .exe *
 
* srclbclient * .exe *
 
* mtbclient * .exe *
 
* start.corp2 * .exe *
 
* javaw. * exe *
 
* node * .exe *
 
* runner * .exe *
 
* ifobsclient * .exe *
 
* bank * .exe *
 
* cb193w * .exe *
 
* clibankonlineen * .exe *
 
* clibankonlineru * .exe *
 
* clibankonlineua * .exe *
 
* eximclient * .exe *
 
* srclbclient * .exe *
 
* vegaclient * .exe *
 
* mebiusbankxp * .exe *
 
* pionner * .exe *
 
* pcbank * .exe *
 
* qiwicashier * .exe *
 
* tiny * .exe *
 
* upp_4 * .exe *
 
* stp * .exe *
 
* viewpoint * .exe *
 
* acdterminal * .exe *
 
* chiefterminal * .exe *
 
* cc * .exe *
 
inal * .exe *
 
* uniterm * .exe *
 
* cryptoserver * .exe *
 
* fbmain * .exe *
 
* vncviewer * .exe *
 
* radmin * .exe *
 
 

Target Domains

 
Note that the configuration uses wildcard characters, so the list contains only portals that can be identified.
 
 
Italy
 
- credem.it
 
- bancaeuro.it
 
- csebo.it
 
- inbank.it
 
- bancopostaimpresaonline.poste.it
 
- bancobpm.it
 
- bancopopolare.it
 
- ubibanca.com
 
- icbpi.it
 
- bnl.it
 
- banking4you.it
 
- bancagenerali.it
 
- ibbweb.tecmarket.it
 
- gruppocarige.it
 
- finecobank.com
 
- gruppocarige.it
 
- popso.it
 
- bpergroup.net
 
- credit-agricole.it
 
- cariparma.it
 
- chebanca.it
 
- creval.it
 
- bancaprossima.com
 
- intesasanpaoloprivatebanking.com
 
- intesasanpaolo.com
 
- hellobank.it
 
 
Germany
 
- bv-activebanking.de
 
- commerzbank.de
 
- sparda.de
 
- comdirect.de
 
- deutsche-bank.de
 
- berliner-bank.de
 
- norisbank.de
 
- targobank.de
 
 
Austria
 
- sparkasse.at
 
- raiffeisen *. at
 
- bawagpsk.com
 
 
Ukraine
 
 
Domains added on September 1? 2018:
 
- bank.eximb.com
 
- oschadbank.ua
 
- client-bank.privatbank.ua
 
 
Domains added on September 1? 2018:
 
- online.pumb.ua
 
- creditdnepr.dp.ua
 
 
Web mail
 
- mail.vianova.it
 
- mail.tecnocasa.it
 
- MDaemon Webmail
 
- email.it
 
- outlook.live.com
 
- mail.one.com
 
- tim.it
 
- mail.google
 
- tiscali.it
 
- roundcube
 
- horde
 
- webmail * .eu
 
- webmail * .it
 
 
Crypto-currency wallets
 
* wallet.dat *
 
* default_wallet *
 
 
Examples of the configuration of campaigns in Poland, Italy, Germany and Austria
 
 
 

Indicators of infection

 
Servers used by DanaBot
 
 
Please note that Active means the presence of malicious content as of September 2? 2018.
 
 
???.69 (Active)
 
???.180 (Active)
 
???.138 (Active)
 
???.198 (Active)
 
???.227 (Active)
 
???.232 (Active)
 
???.220 (Active)
 
???.252 (Active)
 
???.25 (Inactive)
 
???.131 (Inactive)
 
???.47 (Inactive)
 
???.214 (Inactive)
 
???.225 (Inactive)
 
???.102 (Inactive)
 
???.103 (Active)
 
???.104 (Active)
 
???.109 (Inactive)
 
???.110 (Active)
 
???.111 (Active)
 
???.112 (Active)
 
???.114 (Inactive)
 
???.116 (Active)
 
???.117 (Inactive)
 
???.105 (Active)
 
???.204 (Active)
 
???.64 (Active)
 
 
Examples of hashes are
 
Note that new assemblies of major components are released approximately every 15 minutes - that is, not the latest available hashes can be listed here.
 
 
The vector of infection in Europe: 782ADCF9EF6E479DEB31FCBD37918C5F74CE3CAE (VBS /TrojanDownloader.Agent.PYC)
 
The vector of infection in Ukraine is: 79F1408BC9F1F2AB43FA633C9EA8EA00BA8D15E8 (JS /TrojanDropper.Agent.NPQ)
 
Droper: 70F9F030BA20E219CF0C92CAEC9CB56596F21D50 (Win32 /TrojanDropper.Danabot.I)
 
Downloader: AB0182423DB78212194EE773D812A5F8523D9FFD (Win32 /TrojanDownloader.Danabot.I)
 
The main module (x86): EA3651668F5D14A2F5CECC0071CEB85AD775872C (Win32 /Spy.Danabot.F)
 
The main module (x64): 47DC9803B9F6D58CF06BDB49139C7CEE037655FE (Win64 /Spy.Danabot.C)
 
 
Plugins
 
 
RDP: C31B02882F5B8A9526496B06B66A5789EBD476BE (Win32 /Spy.Danabot.H)
 
Stealer (x86): 3F893854EC2907AA45A48FEDD32EE92671C80E8D (Win32 /Spy.Danabot.C)
 
Stealer (x64): B93455B1D7A8C57F68A83F893A4B12796B1E636C (Win64 /Spy.Danabot.E)
 
Sniffer: DBFD8553C66275694FC4B32F9DF16ADEA74145E6 (Win32 /Spy.Danabot.B)
 
VNC: EBB1507138E28A451945CEE1D18AEDF96B5E1BB2 (Win32 /Spy.Danabot.D)
 
TOR: 73A5B0BEE8C9FB4703A206608ED277A06AA1E384 (Win32 /Spy.Danabot.G)