DanaBot banking Trojan in spam impersonating the "POL-INVEST Office"
Reader Konrad sent us another sample of the news. It would not be surprising if it were not that the attached invoice from "Bartosz Wozniak z Biuro POL-INVEST" is a virus trying to download DanaBot from the Ukrainian server.
From: Bartosz Wozniak
Content: Good morning, an invoice is attached. VAT invoice - sales no. 05/13/2018
Yours sincerely, Bartosz Wozniak POL-INVEST Office.
FV_001762.pdf.exe " after unpacking at first glance is a PDF file without an icon, but actually after delving into details, it contains a double extension and is an EXE executable file.
In this campaign once again we deal with SMTP servers nazwa.pl, which are incorrectly secured - allow spammers to send malicious attachments on the "name" of the Name.pl SMTP server. In this case, the fraudster sent spam from the mail server used by Comimport sp. Z o. O. The perpetrator in the e-mail message is impersonating POL-INVEST - we found several such companies, which is why it is difficult to establish the target.
We suspect that the malware used in this campaign is related to the previous one (or to the dropper) that we wrote about two days ago. It is quite likely that this campaign has some characteristics in common with the impersonation of Ergo Hestia and the accounting office "Tomfis" . Malware according to the Eset anti-virus nomenclature in both cases is detected as
Win32/TrojanDropper.Danabot.C and appeared on computers in Poland, and earlier in Australia .
Traditionally, spam is sent from the servers name.pl:
ane151.rev.netart.pl ([18.104.22.168]: 31061)
The spamer to the nazwa.pl server logs in from the IP address:
Hash attachment .EXE after unpacking .ZIP:
Potential attachment names:
Attempts to impersonate e-mail addresses:
We recommend that readers pay particular attention to attachments and use reputable antivirus software. The choice is difficult, which is why we have been helping to identify the best for many years, as evidenced by the three safety tests we have published today . We encourage you to familiarize yourself with the details.
Add new comment
Learn more about our offer
We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.