In May, security experts at Proofpoint noticed a spam email campaign that was sharing a new banking Trojan named DanaBot. At the time it was believed to be a single threat actor was using the DanaBot Trojan to target groups in Australia to obtain online banking details.

That campaign is still ongoing, but in addition, campaigns have been identified in Europe attacking customers of banks in Italy, Germany, Poland, Austria, and the UK. Then in late September, a further DanaBot Trojan campaign was carried out targeting U.S. banks.

The DanaBot Trojan is a modular malware coded in Delphi that can install additional components to add various different functions.

The malware is can capture screenshots, stealing form data, and logging keystrokes in order to obtain banking details. That data is sent back to the hackers’ C2 server and is subsequently used to steal money from corporate bank accounts.

A review of the malware and the geographical campaigns shows different IDs are used in the C2 communication headers. This strongly implies that the campaigns in each region are being carried out by different individuals and that the DanaBot Trojan is being provided as malware-as-a-service. Each threat actor is to blame for running campaigns in a specific country or set of countries. Australia is the only country where there are two affiliates operating campaigns. Overall, there appears to currently be 9 individuals running distribution campaigns.

The country-specific campaigns are employing different methods to share the malicious payload, including the new Fallout exploit kit, web injects, and spam email. The latter of which is being used to distribute the Trojan in the United States.

The U.S. campaign uses a fax notice lure with the emails seeming to come from the eFax service. The messages look professional and include all the appropriate formatting and logos. The emails contain a button that must be clicked to download the 3-page fax message to the device.

Clicking on the button will install a Word document with a malicious macro which, if allowed to operate, will initiate a PowerShell script that downloads the Hancitor downloader. Hancitor will then download the Pony stealer and the DanaBot Trojan.

Proofpoint’s investigation into the malware revealed similarities with the ransomware groups Reveton and CryptXXX, which suggests that DanaBot has been created by the same group responsible for both of those ransomware threats.

The U.S. DanaBot campaign is attacking customers of various U.S. banks, including RBC Royal Bank, Royal Bank, TD Bank, Wells Fargo, Bank of America, and JP Morgan Chase.  It is probably that the campaigns will spread to other countries as more threat actors are signed up to use the malware.

Stopping attacks requires defense in depth against all attack vectors. An advanced spam filter is needed to block malspam. Users of Office 365 should enhance protection with a third-party spam filter such as SpamTitan to provide better security against this threat. To prevent web-based attacks, a web filtering solution should be implemented. WebTitan can block efforts by end users to visit websites known to include exploit kits and IPs that have previously been used for malicious reasons.

End users should also advised never to open email attachments or click on hyperlinks in emails from unknown senders, or to allow macros on documents unless they are 100% certain that the files are authentic. Companies in the United States should also think about warning their employees about fake eFax emails to raise awareness of the danger.