The phishing emails masquerade as invoices in order to appear legitimate.
Researchers have warned enterprise players of a new digital threat: Danabot, malware at the heart of a new phishing campaign specifically targeting SMBs.
Enterprise players, from the largest and most well-known companies to SMBs, are under constant threat of cyberattack. The valuable corporate and customer data they act as wardens for, intellectual property and more can all be attractive lures to cybercriminals.
According to security researchers from TrustWave, DanaBot is a new phishing threat on the scene which appears to be specifically targeting small to medium enterprise players.
The majority of scammers and phishing campaigns follow a predictable pattern. Fraudulent emails are sent out, either en masse in the hopes of catching company employees unaware, or tailored emails are specifically sent to target particular members of a team, such as in HR, sales, or accounting.
The latter will often contain details, secured through social engineering, to appear legitimate and trustworthy.
In either form of campaign, these emails will often contain malicious executables, embedded malicious macros in Microsoft Word documents, or links which connect to fraudulent websites.
However, the new phishing threat is trying out something different.
Controlled by the Threat Actors
According to security researchers from Trustwave, spear phishing emails are being sent to Australian businesses which masquerade as fake invoices sent from MYOB, a mobile cash flow application.
The emails are filled with links that led to File Transfer Protocol (FTP) servers legitimately used to download and transfer files between systems. but in this case it was compromised and controlled by the threat actors.
The majority of the domains involved were Australian, but not all.
If an email recipient fell for the fraudulent message and visited the FTP server the links would point to a downloadable zipped archive.
Written in Delphi, DanaBot is modular malware which contains a dropper, downloader, and master .DLL. The dropper utilizes the downloader and drops a .DLL file — the master .DLL — before deleting itself.
The master .DLL downloads an encrypted file which splits into two upon execution and contains a set of configurations as well as a selection of malware modules.
The modules include a VNC remote controller, an information stealer designed to target private and sensitive information, a network sniffer and a Tor module. The latter is used to communicate covertly with the malware’s command-and-control (C&C) server.
In addition, DanaBot is able to launch web injections and monitor cryptocurrency-related activities.
Trustwave researchers say that once a machine is infected, screenshots may be taken and credentials stolen, both of which can give the malware’s operators the information they need to compromise online bank accounts.
Trustwave researchers commented that: “The infrastructure supporting the malware is designed to be flexible while the malware is designed to be modular with functionality spread across multiple components that are heavily encrypted.”
The use of FTP is an interesting twist in phishing campaigns and may have been chosen in response to many of us becoming savvier when it comes to common phishing methods.
It is not known how many businesses may have fallen prey to such tactics, but with 14.5 billion spam emails being sent on a daily basis, phishing campaigns are a problem which is unlikely to vanish any time soon.