The DanaBot banking Trojan is on the move and has traveled across the sea in a pivot from its original focus on Australia to strike European targets.
DanaBot was first discovered by Proofpoint researchers last year. The malware was observed striking Australian targets of financial value, but at the time, DanaBot appeared to come from only one threat actor source.
Now, the malware has evolved and has become more than a single-source piece of malware to what Webroot calls a “very profitable modular crimeware project.”
DanaBot, written in Delphi, was first found as a payload in phishing emails circulating in Australia. The messages used subjects lines including E-Tolls and invoices in an attempt to coerce victims into downloading a malicious Microsoft Word attachment containing a macro that deployed DanaBot via PowerShell.