Completely investigating the underlying server architecture and CNC structure of banking trojans such as DanaBot is an area of continuing research for the F5 malware team.

Conclusion

As with all banking trojans, DanaBot actively updates its tactics, techniques, and target list to both avoid detection and maintain continual operations to optimize the attacker’s financial reward. We are not surprised to see new tactics emerge in preparation for the peak (end-of-year) holiday phishing and fraud season. What is notable, along with these new tactics, is the shift in targets from solely financial institutions to ecommerce and streaming services.

While we do not know who is maintaining this malware, the malware has been linked to Gozi and Tinba in the past, which use the same injection patterns. In addition, DanaBot has been said to be a “Zeus-like” piece of malware. Given this progression and the successful tactics used, we predict that DanaBot will continue to be a major player in the banking trojan world for the rest of 2019 into 2020.

All organizations, especially the known targets identified in this article, should make their customers aware that they are being targeted. The main purpose of these campaigns is to plant malware on their machines that is designed to steal credit card information, money, and gain access to sensitive information that may be sent back to the malware authors and used for future exploitation.

To combat the impact of fraudulent transactions occurring as the result of malware-infected customer machines, organizations should implement fraud detections within their web platforms that can detect banking trojans and block resulting fraudulent transactions. For more details on how to combat phishing attacks that lead to fraud, see F5 Labs’ 2019 Phishing and Fraud Report.

Security Controls

Enterprises should consider implementing the following security controls based on their specific circumstances: