CB TAU Threat Intelligence Notification: Danabot Trojan Targets Financial Services Industry via Stolen Credentials
Danabot is a banking trojan written in the Delphi programming language. Delivery methods are typically via phishing emails that contain malicious attachments, which further call out to download the main payload using PowerShell or VBScript. Danabot is modular in nature and has capabilities to perform web injection and man-in-the-browser styles of attack, in order to steal sensitive credentials pertaining to banking credentials. The banking and financial services sectors are likely the prime targets for Danabot.
Typical infection vectors include phishing and spear-phishing emails which may carry malicious email attachments to infect the system. Danabot makes use of common “living off the land” binaries (LOL-bins) to execute processes such as Regsvr32 and Rundll32 on the host system. It exhibits multiple nested child Rundll32 processes in order to load certain modules, such as listening on a fixed TCP port, harvesting credentials from LSASS, setting browser proxy settings, and connecting to remote C2 IP addresses. To maintain persistence, it writes a new service to the Windows Registry. TTP’s are shown below:
The full process diagram is shown below.
If you are a Carbon Black customer and looking for more information on how CB products defend against this attack, click here.
MITRE ATT&CK TIDs
|T1193||Initial Access||Spearphishing Attachment|
|T1106||Execution||Execution through API|
|T1158||Persistence, Defense Evasion||Hidden Files and Directories|
|T1117||Defense Evasion, Execution||Regsvr32|
|T1085||Defense Evasion, Execution||Rundll32|
|T1050||Persistence, Privilege Escalation||New Service|
|T1105||Command and Control, Lateral Movement||Remote File Copy|
|T1185||Man in the Browser||Collection|
|T1041||Exfiltration Over Command and Control Channel||Exfiltration|
|T1043||Commonly Used Port||Command and Control|
Indicators of Compromise (IOCs)