Persuading Phishing Campaign Targets Australian Companies and Spreads DanaBot Trojan

 

A new phishing campaign has been identified that is dispersing the DanaBot Trojan. The campaign includes phishing electronic mails which seem to have invoices from the Australian international company MYOB – a supplier of tax and accounting facilities for small and medium-sized companies. The phishing campaign was identified by Trustwave scientists.

The phishing electronic mails are brief and well written and instruct the receiver of the invoice amount, the due date for payment, a request to get in touch if there are any queries regarding the invoice, and a link to see the invoice. The electronic mails appear professional and might easily pass for a sincere communication.

Although the link seems to connect to a website, they actually direct the electronic mail receiver to compromise Australian FTP sites where a zip file is transferred. The zip file has a JavaScript downloader which, if performed, introduces a PowerShell draft that downloads the DanaBot Trojan.

Trustwave said in a latest blog post (includes IoCs), “The structure supporting the malware is intended to be adaptable while the malware is intended to be linked with functionality spread across many parts that are heavily encoded.”

The DanaBot banking Trojan is composed in Delphi and is an information stealer, mainly used to thieve confidential information such as online banking identifications. The malware was first recognized in May 2018 and has earlier been used on other phishing campaigns aiming at Australian firms.

The DanaBot Trojan is persistent, linked, and can download more parts. The Proofpoint scientists who found the malware said it has “robust thieving and distant checking abilities.”

Although the electronic mails themselves might easily deceive a worker into clicking, the zip file should be extracted and manually operated for infection to happen. The zip file is a red flag which must be identified as possibly malevolent by a safety conscious worker. Even if the matters of the zip file are taken out, the unaccustomed JS file format must be identified as possibly malevolent and the danger must be informed to safety teams.

In order for that to occur workers must get training and be habituated into informing dangers. A one-click informing device, like an electronic mail add-on, lets workers swiftly and easily report electronic mails such as this to their safety teams, letting them take swift action to nullify the danger.