App Tiers Affected:
First detected in May 2018,1 DanaBot is a banking trojan that has since shifted its targets from banks in Australia to banks in Europe, as well as global email providers such as Google, Microsoft and Yahoo for the holiday phishing season. Eighty-eight percent of DanaBot’s targets between November 7 and December 4, 2018 were banking customers, primarily in Italy, followed by Poland and Germany, according to an F5 SOC Research project for Websafe that analyzed active campaigns between November 7 and December 4, 2018.
DanaBot authors have been running four primary campaigns that target the following:
- The main campaign targeted multiple countries and industries, including banks, email providers, and a bitcoin exchange, primarily in Italy, followed by Poland, Germany, Austria, Switzerland, and the Netherlands.
- The second most active campaign targeted German banks.
- The third most active campaign targeted Polish banks.
- The fourth most active campaign targeted one Australian bank.
The main multi-industry and country-targeted campaign appeared consistently during the month of November. The other dedicated campaigns were found in parallel but only on specific days rather than day after day. November 21, 2018 was the only day we saw all four campaigns active.
When looking at all targets by country across all campaigns, it’s clear that DanaBot authors are focused on Italian targets, followed by targets in Poland and Germany. The targets attributed to the US are large email service providers that are used globally.
Multiple Campaign Targets
The following banks were targeted in this campaign, organized by country (note some banks have a presence in many countries, however, attackers reveal their intended targets when specifying a country-specific banking URL):
|https://nowbanking.credit-agricole.it/*"||Italy||Credit Agricole Bank|
|https://nowbankingprivati.cariparma.it/*"||Italy||Credit Agricole Bank|
|https://carigeonline.gruppocarige.it/wps8ib/myportal/*"||Italy||Gruppo Carige Bank|
|https://www.gruppocarige.it/vbank/*"||Italy||Gruppo Carige Bank|
|https://www.gruppocarige.it/wps/myportal/*"||Italy||Gruppo Carige Bank|
|https://www.intesasanpaolo.com/ib/content/static/*"||Italy||Intesa San Paolo Bank|
|https://www.intesasanpaoloprivatebanking.com/script/*"||Italy||Intesa San Paolo Bank|
|https://login.bgzbnpparibas.pl/*"||Poland||Bank BGZ BNP Paribas|
|https://plusbank24.pl/web-client/logi*"||Poland||Plus 24 Bank|
The authors also targeted the following email services and platforms of major technology and entertainment providers across Europe and the US:
The following crypto-exchange out of the Netherlands was also targeted:
Germany Campaign Targets
The following businesses were targeted in the Germany campaign:
|https://*comdirect.de/lp/wt/login*"||Germany||Com Direct Bank|
Poland Campaign Targets
All of the identifiable targets in this campaign are banks.
|https://plusbank24.pl/web-client/logi*",||Poland||Plus Bank 24|
Australian Campaign Targets
The Australian campaign targeted one bank over two URLs:
Note this example of a script used in both Tinba and Gozi in 2016. Both use the same element names and injection routine:
In Gozi 2016, the malware is using a placeholder @ID@, probably for the BOT-ID, in script id valued as myjs3. DanaBot is using the actual BOT-ID in script id valued as myjs3.
As with all banking trojans, DanaBot actively updates its campaign targets to both avoid detection and maintain continual operations to optimize the attacker’s financial reward. We are not surprised to see a geographically diverse range of targets during the peak holiday phishing and fraud season. However, what is notable is the focus on European banks, most specifically the Italian banks.
While we do not know who is maintaining this malware, the threat actors are using the same injection patterns as those used by older, successful banking trojans like Gozi and Tinba. Given this progression, we wouldn’t be surprised if this malware continued its increased activity in 2019.
All organizations, especially the known targets identified in this article, should make their customers aware that they are being targeted through phishing and spam campaigns. The main purpose of these campaigns is to plant malware on their machines that is designed to steal money from their bank accounts and gain access to their email.
To combat the impact of fraudulent transactions occurring as the result of malware-infected customer machines, organizations should implement fraud detections within their web platforms that can detect banking trojans and block resulting fraudulent transactions. For more details on how to combat phishing attacks that lead to fraud, see F5 Labs’ 2018 Phishing and Fraud Report.