Authors: Dr. Fahim Abbasi and Diana Lopera
We recently observed phishing emails targeting Australian customers with fake MYOB invoices. Instead of the usual HTTP links, these emails were ridden with FTP links pointing to compromised FTP servers. While most of the links to FTP sites are Australian domains, not all are. The FTP links were pointing to a zipped archive. This zipped archive contained a JavaScript that on execution downloads the DanaBot malware.
To make the phishing message visually appealing, the phishing email used the standard MYOB-like html invoice template as can be seen in Figure 1 and 2. The email body contained a short message requesting to pay the said amount before the due date and contained a "View Invoice" button to view the invoice. On clicking this "View Invoice" button a zip archive is pulled down from what we believe is a compromised FTP server of an Australian company. FTP credentials are supplied in the FTP link that is embedded in the "View Invoice" button.
A few such FTP links harvested from these emails are listed here. Note the credentials have been masked here:
The compromised FTP links point to a zipped archive (in this case 0987365299308858885968.zip), which gets downloaded onto the victim's computer upon clicking the invoice link. This zipped archive contains a JavaScript (JS) downloader. An abridged screenshot of the JS is shown in Figure 3. This JS requires the user to double-click to execute it. This launches a PowerShell command (see Figure 4) that would download the (DanaBot) malware binary "TempVBH56.exe", from the URL "hxxp://buy.biomixers[.]org/ZslSywnaWJ.php" and execute it silently on the system. The process tree is shown in Figure 5.
The DanaBot malware seems to be hosted on a domain that has been configured with round robin DNS and thus resolves to multiple IPs that are used to rotate and load balance the traffic and point them to the attacker controlled infrastructure. A screenshot of all the DNS A records for this domain are illustrated here:
DANABOT
DanaBot is a multi-component banking Trojan written in Delphi and has recently been involved in campaigns specifically targeting Australian users.
For this campaign, we have observed the malware is divided into 3 components:
o TempVBH56.exe (Sha256: 4afad293675bcb39ac2a85307f074cc06410a48f2e14585718193648806521c4)
o 091A4F71.dll (Sha256: f10a7b4d2beb20e9d7f3230e7662ead28b468e4554a7107c21e3b85e1c7a0f6a)
o 6AD4B832.dll (Sha256: 06a1a596f3dbc90da832cd2161848bc8f5c8106bc0f44d4f88d8f3ac3a68e51b)
The DanaBot dropper file "TempVBH56.exe", that was downloaded and executed by the PowerShell command discussed in the previous section deflates and drops a DLL file "091A4F71.dll" onto the disk and executes it and then deletes itself. We term this file ("091A4F71.dll") as the DanaBot downloader. The process tree is shown below in Figure 6.
The DanaBot downloader "091A4F71.dll" executes and downloads the DanaBot master DLL 6AD4B832.dll from the URL hxxp://207.148.86[.]218/index.php?m=T&a=6&b=32&d=A59615726C504BD47DB190BFECF1A981&g=F497D170&i=8192&u=1&v=610760110&x=0&t=32&e=4856B6847A1DC58800EF1CED6140F083 and saves it into a hidden folder in %programdata%.
The DanaBot master DLL then downloads an encrypted file (SHA256: 3bcb8c86f52f9594f5d94945b30d6d76d4ce2c91eb32df43f6ed4e6c8f576085) from the URL: hxxp://144.202.61.204/index.php?m=S&a=6&d=A59615726C504BD47DB190BFECF1A981&g=76941718&e=B06CC1724906F10E3530F5EC7B2B063D
The Master DLL then decrypts the file and splits it into two new files, the first file contains a sequence of configurations (abridged screenshots shown in Figure 7, 8, 9 and 10) %programdata%\6AD4B89A\8E7D750C (Sha256: f7c3de15cb5a75388163ef64143d4e3036a5f952b62fcf6c536beb5e0f5f8c5d), while the second file contains a sequence of modules %programdata%\6AD4B89A\96187C5A (Sha256: 8caf436413d8aaf693ea90ab7728d4dcf67ca9f221629c03356db72791f52252). The modules and configuration files extracted from these files are listed here:
Modules:
Configuration files:
The filenames of the DLLs extracted from the encrypted file reveal the true intention of the attackers. In essence, these DLLs enable the attacker to create and control a remote host via VNC, steal private and sensitive information and use covert channels via Tor.
Lastly, this bot has the capability to send the infected machine's system and desktop screenshot to the C&C as shown in Figure 11. All data used by this malware, whether in transit or on disk, was heavily encrypted. Detailed flow is shown in Figure 12.
Cybercriminals are targeting victims in Australian companies and infecting them with sophisticated multi-stage, multi-component and stealthy banking trojans like DanaBot to steal their private and sensitive information. In this campaign the attackers sent targeted phishing emails in the form of fake MYOB invoice messages with invoice links pointing to compromised FTP servers hosting the DanaBot malware. The infrastructure supporting the malware is designed to be flexible while the malware is designed to be modular with functionality spread across multiple components that are heavily encrypted.
IOCs
|
Filename |
Size |
Sha256 |
Codename |
Download URL |
|
tempvbh56.exe |
277504 bytes |
4AFAD293675BCB39AC2A85307F074CC0 |
Dropper |
hxxp://buy.biomixers.org/ZslSywnaWJ.php |
|
%programdata%\ |
79360 bytes |
F10A7B4D2BEB20E9D7F3230E7662EAD28B |
Downloader |
|
|
%programdata%\ |
1645072 bytes |
06A1A596F3DBC90DA832CD2161848BC |
Master DLL |
hxxp://207.148.86.218/index.php?m=T&a= |
|
<no name> |
1626256 bytes |
3BCB8C86F52F9594F5D94945B30D6D7 |
Downloaded encrypted file |
hxxp://144.202.61.204/index.php?m=S&a=6&d=A59615726C504BD47DB190BFECF1A981& |
|
%programdata%\ |
10112236 bytes |
8CAF436413D8AAF693EA90AB7728D4DC |
Encrypted module |
|
|
%programdata%\ |
15439 bytes |
F7C3DE15CB5A75388163EF64143D4E30 |
Encrypted configuration files |