Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Request a Demo

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Request a Demo
Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

View All Trustwave Services
Solutions
BY INDUSTRY
BY REGULATION
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
We reduce cyber risk and fortify organizations
Awards and Accolades
Recognition by analysts and media outlets
Trustwave SpiderLabs Team
Global researchers, ethical hackers, and responders
Trustwave Fusion Security Operations Platform
Unprecedented security visibility and control
Trustwave Security Colony
Access to cybersecurity threat protection resources
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
Register
Login
Resources
BLOGS
UPCOMING
MEDIA & ASSETS
NOTICES
HELP

DanaBot Riding Fake MYOB Invoice Emails

Change theme to light DanaBot Riding Fake MYOB Invoice Emails
4 Minute Read by Dr. Fahim Abbasi

Authors: Dr. Fahim Abbasi and Diana Lopera

We recently observed phishing emails targeting Australian customers with fake MYOB invoices. Instead of the usual HTTP links, these emails were ridden with FTP links pointing to compromised FTP servers. While most of the links to FTP sites are Australian domains, not all are. The FTP links were pointing to a zipped archive. This zipped archive contained a JavaScript that on execution downloads the DanaBot malware.

To make the phishing message visually appealing, the phishing email used the standard MYOB-like html invoice template as can be seen in Figure 1 and 2. The email body contained a short message requesting to pay the said amount before the due date and contained a "View Invoice" button to view the invoice. On clicking this "View Invoice" button a zip archive is pulled down from what we believe is a compromised FTP server of an Australian company. FTP credentials are supplied in the FTP link that is embedded in the "View Invoice" button.

 

Invoice-partner-myob
Figure 1: Fake MYOB invoice phishing message sent by the scammers

 

A few such FTP links harvested from these emails are listed here. Note the credentials have been masked here:

  • ftp://XXXXX:YYYYY@villablue.com/pd/523972.zip
  • ftp://XXXXX: YYYYY@ftp.aquaprodive.com/new.aquaprodive.com/303-5098-%2847%29.zip
  • ftp://XXXXX: YYYYY@ftp.qsl.net/395871581/84122/91664186(4).js.zip
  • ftp://XXXXX: YYYYY@members.net.au/PUG/9681125-RCP0806(242).js.zip
  • ftp://XXXXX: YYYYY@ftp.newportgardenseashells.com.au/docs/098274747728377 (47).js.zip

 

Mapple-myob-invoice
Figure 2: A slight variation of the same fake MYOB invoice phishing message sent by the scammers

 

Malware Analysis

The compromised FTP links point to a zipped archive (in this case 0987365299308858885968.zip), which gets downloaded onto the victim's computer upon clicking the invoice link. This zipped archive contains a JavaScript (JS) downloader. An abridged screenshot of the JS is shown in Figure 3. This JS requires the user to double-click to execute it. This launches a PowerShell command (see Figure 4) that would download the (DanaBot) malware binary "TempVBH56.exe", from the URL "hxxp://buy.biomixers[.]org/ZslSywnaWJ.php" and execute it silently on the system. The process tree is shown in Figure 5.

 

Js
Figure 3: Extracted JavaScript from the zipped archive that would execute upon a double click
 
Powershell-script
Figure 4: PowerShell command executed by the malicious JavaScript downloader

 

Process-tree
Figure 5: Process tree from the JavaScript downloader to malicious executable

The DanaBot malware seems to be hosted on a domain that has been configured with round robin DNS and thus resolves to multiple IPs that are used to rotate and load balance the traffic and point them to the attacker controlled infrastructure. A screenshot of all the DNS A records for this domain are illustrated here:

 

Ip-resolution

 

DANABOT

DanaBot is a multi-component banking Trojan written in Delphi and has recently been involved in campaigns specifically targeting Australian users.

For this campaign, we have observed the malware is divided into 3 components:

  • The DanaBot Dropper

o TempVBH56.exe (Sha256: 4afad293675bcb39ac2a85307f074cc06410a48f2e14585718193648806521c4)

  • The DanaBot Downloader

o 091A4F71.dll (Sha256: f10a7b4d2beb20e9d7f3230e7662ead28b468e4554a7107c21e3b85e1c7a0f6a)

  • The DanaBot Master DLL

o 6AD4B832.dll (Sha256: 06a1a596f3dbc90da832cd2161848bc8f5c8106bc0f44d4f88d8f3ac3a68e51b)

The DanaBot dropper file "TempVBH56.exe", that was downloaded and executed by the PowerShell command discussed in the previous section deflates and drops a DLL file "091A4F71.dll" onto the disk and executes it and then deletes itself. We term this file ("091A4F71.dll") as the DanaBot downloader. The process tree is shown below in Figure 6.

 

Procexp
Figure 6: Screenshot of Process Explorer

 

The DanaBot downloader "091A4F71.dll" executes and downloads the DanaBot master DLL 6AD4B832.dll from the URL hxxp://207.148.86[.]218/index.php?m=T&a=6&b=32&d=A59615726C504BD47DB190BFECF1A981&g=F497D170&i=8192&u=1&v=610760110&x=0&t=32&e=4856B6847A1DC58800EF1CED6140F083 and saves it into a hidden folder in %programdata%.

The DanaBot master DLL then downloads an encrypted file (SHA256: 3bcb8c86f52f9594f5d94945b30d6d76d4ce2c91eb32df43f6ed4e6c8f576085) from the URL: hxxp://144.202.61.204/index.php?m=S&a=6&d=A59615726C504BD47DB190BFECF1A981&g=76941718&e=B06CC1724906F10E3530F5EC7B2B063D

The Master DLL then decrypts the file and splits it into two new files, the first file contains a sequence of configurations (abridged screenshots shown in Figure 7, 8, 9 and 10) %programdata%\6AD4B89A\8E7D750C (Sha256: f7c3de15cb5a75388163ef64143d4e3036a5f952b62fcf6c536beb5e0f5f8c5d), while the second file contains a sequence of modules %programdata%\6AD4B89A\96187C5A (Sha256: 8caf436413d8aaf693ea90ab7728d4dcf67ca9f221629c03356db72791f52252). The modules and configuration files extracted from these files are listed here:

Modules:

  1. dll - VNC
  2. dll - Stealer
  3. dll - Sniffer
  4. dll - TOR

Configuration files:

  1. PInject
  2. BitKey
  3. BitVideo
  4. BitFilesX
  5. Zfilter

The filenames of the DLLs extracted from the encrypted file reveal the true intention of the attackers. In essence, these DLLs enable the attacker to create and control a remote host via VNC, steal private and sensitive information and use covert channels via Tor.

Networkflow-wireshark
Figure 7: TCP stream of the modules and configuration files
 
Pinject
Figure 8: PInject contains the web injection configuration file where the targets are Australian banks
 
Bitkey
Figure 9: BitKey and BitVideo contains the list of cryptocurrency processes that this bot will monitor.
 
Bitfilex
Figure 10: BitFileX contains the cryptocurrency files
 

Lastly, this bot has the capability to send the infected machine's system and desktop screenshot to the C&C as shown in Figure 11. All data used by this malware, whether in transit or on disk, was heavily encrypted. Detailed flow is shown in Figure 12.

Malcnc
Figure 11: Malware sends the infected machine's system information and desktop screenshot to the C&C
 
Danabot-flow
Figure 12: Malware campaign flow diagram

Conclusion

Cybercriminals are targeting victims in Australian companies and infecting them with sophisticated multi-stage, multi-component and stealthy banking trojans like DanaBot to steal their private and sensitive information. In this campaign the attackers sent targeted phishing emails in the form of fake MYOB invoice messages with invoice links pointing to compromised FTP servers hosting the DanaBot malware. The infrastructure supporting the malware is designed to be flexible while the malware is designed to be modular with functionality spread across multiple components that are heavily encrypted.

IOCs

  • ftp://XXXXX:YYYYY@villablue.com/pd/523972.zip
  • ftp://XXXXX: YYYYY@ftp.aquaprodive.com/new.aquaprodive.com/303-5098-%2847%29.zip
  • ftp://XXXXXl: YYYYY@ftp.qsl.net/395871581/84122/91664186(4).js.zip
  • ftp://XXXXX: YYYYY@members.iinet.net.au/PUG/9681125-RCP0806(242).js.zip
  • ftp:// XXXXX: YYYYY@ftp.newportgardenseashells.com.au/docs/098274747728377 (47).js.zip
  • hxxp://buy.biomixers[.]org/ZslSywnaWJ.php

Filename

Size

Sha256

Codename

Download URL

tempvbh56.exe

277504 bytes
(0 MB)

4AFAD293675BCB39AC2A85307F074CC0
6410A48F2E14585718193648806521C4

Dropper

hxxp://buy.biomixers.org/ZslSywnaWJ.php

%programdata%\
091A4F71.dll

79360 bytes
(0 MB)

F10A7B4D2BEB20E9D7F3230E7662EAD28B
468E4554A7107C21E3B85E1C7A0F6A

Downloader

  

%programdata%\
6AD4B89A\6AD4B832.dll

1645072 bytes
(1 MB)

06A1A596F3DBC90DA832CD2161848BC
8F5C8106BC0F44D4F88D8F3AC3A68E51B

Master DLL

hxxp://207.148.86.218/index.php?m=T&a=
6&b=32&d=A59615726C504BD47D
B190BFECF1A981&g=F497D170&i=8192&u=
1&v=610760110&x=0&t=32&e=
4856B6847A1DC58800EF1CED6140F083

<no name>

1626256 bytes
(1 MB)

3BCB8C86F52F9594F5D94945B30D6D7
6D4CE2C91EB32DF43F6ED4E6C8F576085

Downloaded encrypted file

hxxp://144.202.61.204/index.php?m=S&a=6&d=A59615726C504BD47DB190BFECF1A981&
g=76941718&e=B06CC1724906F10E3530F5EC7B2B063D

%programdata%\
6AD4B89A\96187C5A

10112236 bytes
(9 MB)

8CAF436413D8AAF693EA90AB7728D4DC
F67CA9F221629C03356DB72791F52252

Encrypted module

  

%programdata%\
6AD4B89A\8E7D750C

15439 bytes
(0 MB)

F7C3DE15CB5A75388163EF64143D4E30
36A5F952B62FCF6C536BEB5E0F5F8C5D

Encrypted configuration files

  

 

 

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Lessons from a Honeypot with US Citizens’ Data
2024 Trustwave Risk Radar Report: Cyber Threats to the Retail Sector
Hooked by the Call: A Deep Dive into The Tricks Used in Callback Phishing Emails

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo