Authors of the DanaBot banking trojans updated the malware with new features that enabled it to harvest email addresses and send out spam straight from the victim’s mailbox.
Recently, DanaBot authors took fell on the European space, targeting Italy, Germany, and Austria.
Malware replies to your contacts with spam
Malware analysts at ESET found that one of the webinject scripts used by DanaBot can send out malicious messages from the owner’s account, as replies to emails in the inbox.
This tactic applies to any webmail service relying on Open-Xchange and helps the operation in two ways: the established trust between the sender and the recipient increases the chance of the message to bypass spam protections, and the receiver is more likely to open the malicious attachment.
Using a different script, DanaBot harvests email addresses from accounts on all targeted webmail services. The injection occurs the moment the victim logs in and the addresses.
According to the researchers, the attackers focus on addresses with the substring “pec,” which stands for ‘Posta Elettronica Certificata’ or ‘certified mail’ used in Italy, Switzerland and Hong Kong, and gives digital correspondence the same legal value of conventional postal services you have to sign for on reception.
The Italian Chamber of Commerce says that PEC ‘allows messages and document attachments of any kind (administrative, commercial, information, etcetera) to be exchanged, in a safe, secure and economical manner.”
Based on this detail, ESET researchers believe that DanaBot authors may have taken in sight corporate and public administration emails that are most likely to use the PEC service.
DanaBot and GootKit authors shake hands
While analyzing malicious VBS scripts found on a command and control (C2) server by the banking trojan, the researchers discovered that it directed to a downloader module for another nasty in the same business, named GootKit.
“This is the first time we have seen indicators of DanaBot distributing other malware. Until now, DanaBot has been believed to be operated by a single, closed group. The behavior is also new for GootKit, which has been described as a privately held tool, not sold on underground forums, and also operated by a closed group,” ESET’s experts say.
Lately, GootKit has also been distributed by other malware, Emotet, which indicates a diversification of the illegal business.
The connection between the GootKit and DanaBot groups appears to extend to sharing the same registrar (Todaynic.com, Inc) for their domain names and the same name server (dnspod.com).
This echoes ProofPoint’s theory that DanaBot is pushed as part of an affiliate system that enables the developer to rent the malware or help with other campaigns and share in the profits.