Financial

DanaBot banking trojan hits Germany again, with new targets

DanaBot is being used to hit German retail websites, including H&M, according to new research from Webroot.

August 14, 2019

A H&M storefront in Germany. (Getty Images)

DanaBot, a banking trojan that has targeted organizations in Australia, Europe, and North America, has expanded its targets in Germany as of this June in a new campaign, according to new research from Webroot.

While the trojan — which steals users’ banking credentials via malicious JavaScript injects — initially began targeting Australian banks in 2018, the targets identified in this new campaign are outside of the financial sector. Webroot Advanced Threat Research Analyst Jason Davison tells CyberScoop that the targets are a range of victims in retail, including the German websites for fashion brands H&M and Esprit, along with lodging rental platform Airbnb.

The campaign is primarily unleashed via spear phishing emails containing malicious links or files to download, Davison says.

“Once the loader module gets downloaded and is run, it sets up persistence (the ability to stay on a device through a reboot) on the victim’s machine and then will reach out to the command and control and then … complete the infection,” he said.

Although the infection vector is consistent with past DanaBot research, this German campaign’s targets are a marked departure from DanaBot’s typical usage. The motive remains unclear at this time.

It is unclear what group may be behind the latest attack — Proofpoint has previously assessed that DanaBot is likely sold as “malware as a service,” where one actor controls a command and control server and sells access to others. It is possible a new group has latched onto the trojan for new uses, Davison says.

Davison, too, has assessed that DanaBot operates as a “malware-as-a-service.”

The Webroot research finds that four command and control servers — in Australia, Germany, Switzerland, and The Netherlands — are constants across the DanaBot campaigns. The location of the servers, however, is likely not indicative of who the attackers are, Davison says.

There are “some kind of more persistent or mainstay command and control servers, ones that we see often in a lot of DanaBot configurations,” Davison said. “Reaching out to get these taken down is not very fruitful.”

Although this is the first time Webroot has identified a campaign using DanaBot in Germany, previous research from Proofpoint and ESET has identified similar campaigns in Germany. However, all of those victims were banking entities.

The research comes as banking trojans are becoming less common, according to Proofpoint. The company found that the majority of email-borne malware in the fourth quarter of last year was banking trojans, but they only made up 21% of payloads in the first quarter of this year.