CB TAU Threat Intelligence Notification: Danabot Trojan Targets Financial Services Industry via Stolen Credentials

Summary

Danabot is a banking trojan written in the Delphi programming language. Delivery methods are typically via phishing emails that contain malicious attachments, which further call out to download the main payload using PowerShell or VBScript. Danabot is modular in nature and has capabilities to perform web injection and man-in-the-browser styles of attack, in order to steal sensitive credentials pertaining to banking credentials. The banking and financial services sectors are likely the prime targets for Danabot.

Behavioral Summary

Typical infection vectors include phishing and spear-phishing emails which may carry malicious email attachments to infect the system. Danabot makes use of common “living off the land” binaries (LOL-bins) to execute processes such as Regsvr32 and Rundll32 on the host system. It exhibits multiple nested child Rundll32 processes in order to load certain modules, such as listening on a fixed TCP port, harvesting credentials from LSASS, setting browser proxy settings, and connecting to remote C2 IP addresses. To maintain persistence, it writes a new service to the Windows Registry. TTP’s are shown below:

danabot inv.exe.png

Danabot inv.dll.png

danabot CBD.png

The full process diagram is shown below.

Danabot CbTH.png

If you are a Carbon Black customer and looking for more information on how CB products defend against this attack, click here.

Remediation:

MITRE ATT&CK TIDs

TID Tactic Description
T1193 Initial Access Spearphishing Attachment
T1106 Execution Execution through API
T1158 Persistence, Defense Evasion Hidden Files and Directories
T1117 Defense Evasion, Execution Regsvr32
T1085 Defense Evasion, Execution Rundll32
T1050 Persistence, Privilege Escalation New Service
T1057 Discovery Process Discovery
T1105 Command and Control, Lateral Movement Remote File Copy
T1185 Man in the Browser Collection
T1041 Exfiltration Over Command and Control Channel Exfiltration
T1043 Commonly Used Port Command and Control

Indicators of Compromise (IOCs)

Indicator Type Context
e0830e58a7f2fe46848fe

8493d3511f94d969fca8

deb5e089537839e4d752ad3

b31862f60c886dd5d8ff1b85cf79efc0

SHA256

MD5

Danabot

executable launcher

21.192.187.178 IP address C2
212.11.77.202 IP address C2
217.149.189.121 IP address C2
139.228.235.22 IP address C2
209.28.99.7 IP address C2
105.215.102.124 IP address C2
27.217.226.127 IP address C2
185.92.222.238 IP address C2
172.205.217.104 IP address C2
89.144.25.243 IP address C2

The post CB TAU Threat Intelligence Notification: Danabot Trojan Targets Financial Services Industry via Stolen Credentials appeared first on Carbon Black.

Leave a Reply

Your email address will not be published. Required fields are marked *