Author: Nick Sundvall
On 12 August, Infoblox observed a malspam campaign distributing the Danabot banking trojan through ZIP files.
First seen by Proofpoint in 2018, Danabot is a banking trojan written in Delphi.1 Danabot can steal credentials, take screenshots, log keystrokes, exfiltrate data to command and control servers (C&Cs), and perform web injection to manipulate browser sessions and steal banking information.2
Vulnerabilities & Mitigation
Because malspam emails are a common distribution method for malicious scams, Infoblox recommends the following precautions typically used to avoid these attacks:
- Always be suspicious of vague or empty emails, especially those that contain prompts to open attachments or click links.
- Be aware of an attachment’s file type, and never open an attachment that could be a script (.js, .vbs, .cmd, or .bat), an internet shortcut file, or a compressed file. Threat actors use compressed files to evade detection methods that are based on file hashes and signatures. They also use compressed files to mask the real malicious files that would be flagged by email services.
- Verify the legitimacy of emails with the alleged sender before opening any attachments.