DanaBot Trojan

DanaBot is a relatively new banking trojan and was discovered in May of 2018. Threat actors take advantage of DanaBot’s extensive anti-analysis features and target organizations in the United States, Poland, Italy, Germany, Austria and Australia.

The trojan is distributed via a malspam campaign comprised of hundreds of thousands of email messages. The emails contain a URL, which downloads a document containing malicious macros. The macros execute the embedded Hancitor Trojan malware, which then follows up with DanaBot. DanaBot features multiple modules that can run on an infected system: a proxy, info stealer, an RDP module (remote desktop protocol), a TOR proxy, and a VNC module.

Umbrella blocks the domains that are tied to malicious files as well as IP addresses associated with command and control callbacks. Umbrella uses AV engines and Cisco Advanced Malware Protection (AMP) to block malicious files before they're downloaded. AMP detects DanaBot as Win.Dropper.Banload and Umbrella proactively blocks the threat.

'DanaBot Gains Popularity and Targets US Organizations in Large Campaigns'

158.255.215[.]31, 149.154.152[.]64, 37.235.53[.]232, 95.179.151[.]252, 178.209.51[.]227, 149.154.157[.]220, 45.77.54[.]180, 45.77.96[.]198, 45.77.51[.]69, 45.77.231[.]138, cropfoods[.]com, diadelosmuertos[.]rocks, healthemade[.]com, hinsurefling[.]ru, incasekits[.]com, incasesafety[.]com, justcleanfood[.]com, mmacontender[.]com, neighbor-made[.]com, neighbormadefarm[.]com, nuts4salad[.]com, oneningsitar[.]com, otelvictoria[.]ru, thevermontbakingcompany[.]com, uniimtech[.]ru, uzri[.]net, vermontpancake[.]com, witoftrinreb[.]ru