TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

DanaBot’s New Tactics and Targets Arrive in Time for Peak Phishing and Fraud Season

2019-12-09 · Read original ↗

ATT&CK techniques detected

9 predictions
T1059.007JavaScript
77%
"compress and obfuscate code in order to create a command and control ( cnc ) mechanism. using dean edwards ’ p. a. c. k. e. r compressor as the first step, danabot dynamically creates the second stage of the injection. 2 these two new techniques can be used together in order to t…"
T1566.002Spearphishing Link
71%
"4. a utility function checking the date figure 5. the utility function for disabling the enter key via the keyboard so the malicious “ click ” event will replace it figure 6. the utility method showing a replacement of a legitimate button with a fake one the includes the fraudste…"
T1566.002Spearphishing Link
63%
", researchers were able to see the actual victim data as well as the browser botid. this data is blurred in figure 14 as it is sensitive information. figure 14. actual data sent from the victim ' s browser to the danabot attacker server completely investigating the underlying ser…"
T1204.004Malicious Copy and Paste
59%
"see if a user is logged in. the validation is unique to each target site. once the code validates that this html element exist in the page, the next step of the fraud malware executes. the malware uses the tables javascript library to create fake payment request forms where users…"
T1566.002Spearphishing Link
47%
"zeus - like ” piece of malware. given this progression and the successful tactics used, we predict that danabot will continue to be a major player in the banking trojan world for the rest of 2019 into 2020. all organizations, especially the known targets identified in this articl…"
T1657Financial Theft
46%
"heavy hitter, causing significant of damage wherever it goes. like most of the other notable banking trojans, danabot continues to shift tactics and evolve in order to stay relevant. f5 malware researchers first noticed these shifting tactics in september 2019, however, it is pos…"
T1185Browser Session Hijacking
39%
"the p. a. c. k. e. r. framework, which is a legitimate way to compress and obfuscate code in order to create a command and control ( cnc ) communication mechanism. we observed these new danabot tactics tampering with popular websites such as aliexpress and groupon. technical deta…"
T1102Web Service
38%
"to social media and streaming websites. this includes twitch, the world ’ s leading live steaming platform for gamers. users can watch and chat with others online, and there are opportunities for them to enter their credit card details to purchase twitch prime or to support speci…"
T1204.004Malicious Copy and Paste
35%
"heavy hitter, causing significant of damage wherever it goes. like most of the other notable banking trojans, danabot continues to shift tactics and evolve in order to stay relevant. f5 malware researchers first noticed these shifting tactics in september 2019, however, it is pos…"

Summary

DanaBot makes a strong resurgence at the end of 2019, using new tactics and techniques and expanding beyond its traditional banking targets.