ESET research shows that DanaBot operators
have been expanding the malware’s scope and possibly cooperating with another
criminal group
DanaBot appears to have outgrown the banking
Trojan category. According to our research, its operators have recently been
experimenting with cunning email-address-harvesting and spam-sending features,
capable of misusing webmail accounts of existing victims for further malware
distribution.
Besides the new features, we found indicators
that DanaBot operators have been cooperating with the criminals behind GootKit,
another advanced Trojan – behavior atypical of the otherwise independently
operating groups.
Sending spam
from victims’ mailboxes
The previously unreported features caught our
attention when analyzing the webinjects used to target users of several Italian
webmail services as part of DanaBot’s expansion in Europe in September 2018.
According to our research, the JavaScript
injected into the targeted webmail services’ pages can be broken down into two
main features:
1.
DanaBot
harvests email addresses from existing victims’ mailboxes. This is achieved by
injecting a malicious script into the targeted webmail services’ webpages once
a victim logs in, processing the victim’s emails and sending all email
addresses it finds to a C&C server.
2.
If the
targeted webmail service is based on the Open-Xchange suite – for example the
popular Italian webmail service libero.it – DanaBot also injects a script that
has the ability to use the victim’s mailbox to covertly send spam to the
harvested email addresses.
The malicious emails are sent as replies to
actual emails found in the compromised mailboxes, making it seem as if the
mailbox owners themselves are sending them. Further, malicious emails sent from
accounts configured to send signed messages will have valid digital signatures.
Interestingly, it seems that attackers are
particularly interested in email addresses containing the substring “pec”,
which is found in Italy-specific “certified electronic mail” addresses. This may
indicate that DanaBot authors are focused on targeting corporate and public
administration emails that are the most likely to use this certification
service.
The emails include ZIP attachments,
pre-downloaded from the attacker’s server, containing a decoy PDF file and a
malicious VBS file. Executing the VBS file leads to downloading further malware
using a PowerShell command.
Complete article on:
https://www.welivesecurity.com/2018/12/06/danabot-evolves-beyond-banking-trojan-new-spam/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29