With this new campaign, attackers used FTP links instead of the usual HTTP links and most of the FTP sites linked with the Australian domains.
Trustwave researchers Fahim Abbasi and Diana Lopera spotted the phishing scam targeting Australian customers of MYOB.
Phishing Email Campaign
The phishing email campaign contains a fake MYOB invoice that asks customers to make payment and once the customer clicks on View Invoice it downloads the zip file from the compromised server.
DanaBot Banking Trojan contains four modules dll – VNC, dll – Stealer, dll – Sniffer and dll – TOR that enables extract the sensitive details from customers, establishing a covert communication channel and to control a remote host via VNC.
According to Trustwave researchers “the infrastructure supporting the malware is designed to be flexible while the malware is designed to be modular with functionality spread across multiple components that are heavily encrypted.”
You can find the Analysis report and IoCs in Trustwave blog post.