Danabot is a banking trojan that was first seen in early May of this year. The trojan is written in Delphi and was seen targeting banks in Australia. Danabot attempts to hijack banking credentials with the use of a keylogger by taking screenshots and stealing data from the infected machine. The stolen data will then be sent to the attacker’s C&C server for the attacker to access. After targeting Australia, the trojan has recently shifted to U.S. banks. The campaign is being spread via malspam and masquerades as digital faxes from eFax. The email claims that the victim has received a fax and then asks the victim to download the fax. If the victim clicks the download button, a malicious Word document will be downloaded. Following this, the victim will be asked to click the “Enable Content” button in order to view it. If this clicked, Word’s macros will “fire off” to download and install Hancitor malware on the machine. Hancitor is a malware with the primary focus of getting additional malware onto the victim’s machine. Once Hancitor is downloaded and installed onto the victim’s machine, it will then download Danabot along with additional malware. At the time of writing this article, the North American Danabot campaign is targeting Bank of America, JP Morgan Chase, Royal Bank, TD Bank, and Wells Fargo.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased