Malware News DanaBot evolves beyond banking Trojan with new spam-sending capability

silversurfer

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,165
Content source
https://www.welivesecurity.com/2018/12/06/danabot-evolves-beyond-banking-trojan-new-spam/
ESET research shows that DanaBot operators have been expanding the malware’s scope and possibly cooperating with another criminal group

DanaBot appears to have outgrown the banking Trojan category. According to our research, its operators have recently been experimenting with cunning email-address-harvesting and spam-sending features, capable of misusing webmail accounts of existing victims for further malware distribution.

Besides the new features, we found indicators that DanaBot operators have been cooperating with the criminals behind GootKit, another advanced Trojan – behavior atypical of the otherwise independently operating groups.

Sending spam from victims’ mailboxes

The previously unreported features caught our attention when analyzing the webinjects used to target users of several Italian webmail services as part of DanaBot’s expansion in Europe in September 2018.

According to our research, the JavaScript injected into the targeted webmail services’ pages can be broken down into two main features:

  1. DanaBot harvests email addresses from existing victims’ mailboxes. This is achieved by injecting a malicious script into the targeted webmail services’ webpages once a victim logs in, processing the victim’s emails and sending all email addresses it finds to a C&C server.

  1. If the targeted webmail service is based on the Open-Xchange suite – for example the popular Italian webmail service libero.it – DanaBot also injects a script that has the ability to use the victim’s mailbox to covertly send spam to the harvested email addresses.

The malicious emails are sent as replies to actual emails found in the compromised mailboxes, making it seem as if the mailbox owners themselves are sending them. Further, malicious emails sent from accounts configured to send signed messages will have valid digital signatures.

Interestingly, it seems that attackers are particularly interested in email addresses containing the substring “pec”, which is found in Italy-specific “certified electronic mail” addresses. This may indicate that DanaBot authors are focused on targeting corporate and public administration emails that are the most likely to use this certification service.

The emails include ZIP attachments, pre-downloaded from the attacker’s server, containing a decoy PDF file and a malicious VBS file. Executing the VBS file leads to downloading further malware using a PowerShell command.
Click to expand...
 
  • Like
Reactions: Andy Ful, Weebarra, Der.Reisende and 10 others
You must log in or register to reply here.

Similar threads

silversurfer
    • Like
    • +Reputation
New Horabot campaign targets the Americas
Replies
0
Views
998
News Archive
silversurfer
silversurfer
silversurfer
    • Like
    • +Reputation
Malware News Pikabot Malware Surfaces as Qakbot Replacement for Black Basta Attacks
Replies
0
Views
984
Security News
silversurfer
silversurfer
MuzzMelbourne
    • Like
    • +Reputation
New PowerExchange malware backdoors Microsoft Exchange servers
Replies
0
Views
966
News Archive
MuzzMelbourne
MuzzMelbourne

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top