The DanaBot banking Trojan is on the move and has traveled across the sea in a pivot from its original focus on Australia to strike European targets.
Now, the malware has evolved and has become more than a single-source piece of malware to what
Webroot calls a "very profitable modular crimeware project."
DanaBot, written in Delphi, was first found as a payload in phishing emails circulating in Australia. The messages used subjects lines including E-Tolls and invoices in an attempt to coerce victims into downloading a malicious Microsoft Word attachment containing a macro that deployed DanaBot via PowerShell.
The malware contains a range of standard banking Trojan functions. A downloader component launches a DLL which pulls additional modules including a bank website injector, information stealer, and a list of target websites on to a victim's computer.
DanaBot is able to manipulate browser sessions and redirect visits to financial services websites in order to steal any credentials submitted; screenshot desktops, and is also able to transfer stolen data to the malware's command-and-control (C2) server.
www.zdnet.com
