by H3 Collective | Aug 14, 2019
Proofpoint first identified DanaBot in May of 2018. Armed with basic Trojan and info stealing functionality, DanaBot works to gather sensitive banking information from unsuspecting users for fraud and other criminal activity. Since its inception, the Trojan has worked on adding affiliates, increasing its geotargeting, and expanding its functionality through modularity. In this blog, I’m going to review DanaBot’s web injects/targeting scheme, along with its communication protocol/command and control infrastructure. Geo-Targeting While DanaBot primarily targeted Australia in its early 2018 campaigns, it has continually expanded its targeting since then to include various new regions. Each geographical region is associated with a campaign ID within the bot, which ensures that the respective web injects/targets for the desired region are delivered post-infection. DanaBot has continued to...
