Last May, security specialists at Proofpoint identified a spam email campaign that was sharing a new banking Trojan titled DanaBot. At first it was thought that a single threat actor was using the DanaBot Trojan to target groups in Australia to obtain online banking details.

That campaign has persisted, but in addition, campaigns have been noticed in Europe targeting customers of banks in Italy, Germany, Poland, Austria, and the UK. Then last month a further DanaBot Trojan campaign was carried out targeting U.S. banks.

The DanaBot Trojan is a modular malware programmed in Delphi that can install additional components to add various different functions.

The malware can capture screenshots, obtain form data, and record keystrokes in order to obtain banking credentials. That data is sent back to the attackers’ C2 server and is then used to steal money from corporate bank accounts.

A review of the malware and the geographical campaigns shows alternative IDs are used in the C2 communication headers. This strongly suggests that the attacks in each region are being carried out by different individuals and that the DanaBot Trojan is being provided as malware-as-a-service. Each threat actor is charged with running campaigns in a specific country or set of countries. Australia is the only country where there are two affiliates conducting campaigns. Overall, there appears to currently be nine hackers running distribution campaigns.

The country-specific campaigns are using a variety of tools to distribute the malicious payload, which include the new Fallout exploit kit, web injects, and spam email. The latter is being used to share the Trojan in the United States.

The U.S. campaign sends a fax notice lure with the emails seeming to come from the eFax service. The messages look authentic and are complete with appropriate formatting and logos. The emails include a button that must be clicked to download the 3-page fax message.

Clicking on the button will install a Word document with a malicious macro which, if permitted to run, will initiate a PowerShell script that downloads the Hancitor downloader. Hancitor will then install the Pony stealer and the DanaBot Trojan.

Proofpoint’s review of the malware revealed similarities with the ransomware groups Reveton and CryptXXX, which suggests that DanaBot has been developed by the same group to blame for both of those ransomware threats.

The U.S. DanaBot campaign is focused on customers of various U.S. banks, including RBC Royal Bank, Royal Bank, TD Bank, Wells Fargo, Bank of America, and JP Morgan Chase.  It is probable that the campaigns will spread to other countries as more threat actors begin to use the malware.

Stopping attacks requires detailed defense against each of the attack vectors. An advanced spam filter is necessary to block malspam. Subscribers to Office 365 should increase protection with a third-party spam filter such as SpamTitan to supply better protection against this threat. To stop web-based attacks, a web filtering solution should be implemented. WebTitan can block efforts by end users to visit websites known to include exploit kits and IPs that have previously been used for malicious aims.

End users should also advised to never open email attachments or visit hyperlinks in emails from unknown senders, or to enable macros on documents unless they are 100% certain that the files are authentic. Companies in the United States should also think about warning their employees about fake eFax emails to increase awareness of the threat.