DanaBot Trojan Expands Beyond Banking

DanaBot Trojan Expands Beyond Banking

Banking Trojan DanaBot has reportedly resurfaced with some new tricks. According to malware analysts at ESET, the Trojan has evolved beyond banking and is now being used to send spam directly to a victim’s inbox.

Researchers found that by injecting JavaScript code into specific pages of web-based email services, the malware sends malicious email responses to actual messages in the victim’s inbox. Additionally, the decoy PDF attached to these emails contains a malicious VBS file.

“Its operators have recently been experimenting with cunning email-address-harvesting and spam-sending features, capable of misusing webmail accounts of existing victims for further malware distribution,” ESET wrote.

In large part, the attacks have been targeting victims whose emails contain the substring “pec,” found in Italy-specific “certified electronic mail” addresses, according to ESET. Roundcube, Horde and Open-Xchange, as well as mail.yahoo.com, mail.google.com, mail.one.com and outlook.live.com, are included among the list of targeted email servers.

"Previously the DanaBot focused on mainly harvesting banking credentials by a similar means to the new threat, essentially by compromising the Bank’s Web Portal,” said Will LaSala, director, security solutions and security evangelist at OneSpan. “It would steal usernames and passwords. The new functionality seems as if they are focusing on just harvesting email addresses, from all sorts of different companies. The change in direction of the DanaBot shows that attacks that what started in banking is moving beyond banking."

Other high-profile attacks have been efforts to steal private information that can then be sold on the black market. "This private information is valuable," said LaSala, "because it helps criminals open new accounts and appear legitimate. The more private information that is stolen, the more difficult it will be for organizations to protect themselves from fraudulent accounts. Changes like those to well known malware showcase the fact that all forms of internet communication need to be protected and companies should be vigilant in patching security holes as soon as they can."

Source: Information Security Magazine