DanaBot Trojan: Another Banking Malware

DanaBot Trojan: Another Banking Malware

After already having wreaked tremendous havoc in regions of Australia and Europe the DanaBot Trojan has further spread its tentacles across the banks of the United States.

According to the new developments in the field, it was found out that, initially this banking Trojan was restricted to only a few parts of the world. The modular Trojan which is written in Delphi tries to harvest the account information and credentials from the online banking sites.

It completes its task with the help of various means and ways including clicking screenshots automatically while the screen is active and logging keystrokes on the device. The harvested data is amalgamated and sent to get further accessed, to the central server which acts as a controlling and command center.

A solo group was in charge of the DanaBot when it was unveiled for the first time, the major preys being Australian banks. With the passage of time, more players entered the game of the Trojan attacks. In fact, the latest campaigns are being released lately using different IDs.

As word from the sources has it, possibly, DanaBot is marketed as a fraction of a bigger system, so as to invite people to either rent the malicious Trojan from the developer or to share profits.

A campaign which was identified by one of the sources was spreading in the North American territory through something that’s called a “Malspasm”. The malspasm replicates the functioning of a digital fax from an organization named “eFax” stating that the receiver must click on it download them it up.

 Once downloaded, a malicious word document opens up prompting the users to press the button with “Enable Content” mentioned on it. The click would lead to the starting up of the word macros and an instant installment and download of Hancitor on the target’s device.  Hancitor would further download DanaBot and other malware, on the computer.

Security researchers in the west say that TD Bank, J P Morgan Chase and Bank of America, to name a few are the banks that have been the primary sufferers of this severe DanaBot attack.

As of now, there are nine separate distributors of the aforementioned Trojan. These 9 players could be identified via their “affiliate IDs”.

 Most of the times, a single distributor dispenses the malware to a specific area. Australia had been the target of two distinct affiliate IDs with each one of them following their own atypical ways, encompassing, namely, installations via Hancitor malware, web injections and etc.

DanaBot has behaved quite analogical with relation to its commands and control servers to another ransom-ware which is quite well-known. This is giving rise to suspicious statements which are stating DanaBot to be a next-generation ransom-ware.

In a statement, one of the sources insinuated that this latest banking Trojan is quite set on binging on juicy bank details of users and reportedly is even an evolved version of CryptXXX which is an infamous malicious ransom-ware.


Leave a Reply