#privacy: DanaBot banking trojan is on the move

The banking trojan DanaBot has expanded its targets to Germany from Australia since June.

Webroot explains that DanaBot “works to gather sensitive banking information from unsuspecting users for fraud and other criminal activity.”

The malware had been first observed targeting Australia in its earlier campaigns, and it appeared that it only came from one threat actor. However since its creation, it has expanded its targets to include new regions. 

Danabot has targeted Australia, North America, and certain parts of Europe, and now there are reports of Danabot being found in Germany. 

In a report it explained that DanaBot “performs browser and operating system fingerprinting to ensure the victim sees the most believable fake website possible.”

Webroot Advanced Threat Research Analyst Jason Davison told CyberScoop that the trojan had been targeting a range of retail victims including the German websites for H&M and Esprit.

Initially the campaign had spread via phishing emails containing malicious links or files, but since then0 has updated its arsenal, and with every region the phishing emails are tailored. 

Davison stated that once a loader module is downloaded and run, “it sets up persistence (the ability to stay on a device through a reboot) on the victim’s machine and then will reach out to the command and control and then…complete the infection.”

It remains unclear as to what group is behind these attacks. 

“[DanaBot] continues to evolve its geo targets as more affiliates get added, and has branched out to test ransom functionality,” Webroot says. 

“This change in tactics certainly aligns with other shifts we’ve observed in which criminals are performing more recon upfront to profile a victim’s worth before executing ransomware from a domain controller. Threat actors are effectively reducing the quantity of attacks in favor of quality when they choose to profile their victim’s worth.”

The Danabot trojan has become “a very profitable modular crimeware project.”


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/