Danabot's Travels, A Global Perspective
(Dec 19, 2018)
The "Danabot" banking trojan has undergone consistent growth throughout 2018 since its discovery in May of this year, according to Arbor Networks researchers. Danabot is predominantly distributed via malspam. The malware is described as a modular banking trojan that is capable of stealing financial credentials, primarily though web-injection attacks that utilize multiple Dynamic Link Libraries (DLLs). In addition, Danabot also has remote access features via Virtual Network Computing (VNC) and Remote Desktop Protocol (RDP) to allow threat actors to conduct more malicious activity on an infected machine. Researchers note that Danabot is encroaching upon sophistication levels of notorious banking trojans such as Dridex and Trickbot due to the dynamic and active development of the malware by various actors.
Recommendation: Always be cautious while reading email, in particular when it has attachments or comes with an urgent label or poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders. Furthermore, ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.