Emerging Threats

ThreatLabZ November 2021 Report: Multilogin utility gets exploited, phishing attacks target Indian banking customers, and new supply-chain attacks resurrect DanaBot malware

Nov 19, 2021
ThreatLabZ November 2021 Report

In late October and early November, the Zscaler ThreatLabZ team documented a malware campaign targeting users of the Multilogin utility, identified a phishing campaign aimed at banking consumers in India, and recorded a resurgence of DanaBot malware activity.

New MultiloginBot phishing campaign spoofs popular sign-on utility
A new live phishing campaign attempts to install stealer malware onto victimized devices. The campaign targets legitimate customers of Multilogin, a common convenience utility that enables users to log into multiple accounts on single websites or platforms. The ultimate goal of the hackers appears to be credential-stealing.

The phishing email tries to trick users into downloading a malicious installer. That installer code comes from websites with newly-registered domains (NRDs) which mimic the look and feel of the legitimate Multilogin website. From there, the attack chain moves to deployment. Once a machine is compromised, an installer installs a stealer on the client. That stealer -- now named as “multilogin” -- seeks out sensitive information on the device, zips it up, and exfiltrates it to a command-and-control (C2) server.

Figure 1. The threat actor behind the MultiloginBot phishing campaign has gone to great lengths to make its malware (left) appear to be legitimate (right).

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Cloud Sandbox.

Read more detailed technical analysis of the MultiloginBot phishing campaign here.


Sophisticated malware campaign targets Indian banking customers with phishing to achieve MFA bypass
Threat adversaries recently launched another phishing campaign, this one targeting customers of some of India’s largest financial institutions. What makes this one particularly damaging is its sophistication: It offers a phishing lure as part of a credentials-stealing scheme to bypass multi-factor authentication (MFA) security.

The campaign targets mobile-banking customers of large Indian banks like State Bank of India, Punjab National Bank, Union Bank, HDFC, and Canara. The cybercriminals behind it are aiming at users of Android mobile devices. 

At the start of the attack chain, hackers send phishing emails luring Android users to a seemingly-legitimate site for their preferred bank with the promise of a refund. Once there, victims are prompted to enter personal banking credentials (including PIN). The site then claims to download the bank’s mobile application. Instead, it deploys a stealer that snoops SMS messages and sends them to a C2 server.


Figure 2. Spoofed mobile-banking site

The SMS capture can enable hackers to thwart multi-factor authentication controls. Typically, banking communications require secondary authorization, often a one-time password sent via SMS. Armed with both account credentials and SMS access, these hackers can potentially empty victims’ bank accounts.

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Cloud Sandbox.

Learn more about how hackers are targeting Indian mobile-banking customers here.

DanaBot malware resurfaces in new supply-chain attacks
DanaBot, a Malware-as-a-Service platform first identified three years’ ago and thought to be on the wane, has resurfaced as the payload in two recent supply-chain cyberattacks. It was also used in a Distributed-Denial-of-Service (DDoS) attack on a Russian-language electronics forum. 

The DanaBot malware can be exploited in several ways, though it is typically deployed to act as a credentials stealer. The DanaBot criminal enterprise model operates from a service platform. Threat actors can subscribe to the site to become “affiliates.” Affiliates gain access to the malware payload, and -- for a fee -- can distribute it as they see fit.

In two incidents over the past month, hackers twice compromised npm, a popular package manager for Javascript development environments. In the first supply-chain attack, the malware-laden code distributed both DanaBot and a cryptominer in its Javascript library, and in the second, the corrupted package manager went out with DanaBot embedded in a parser utility.

Figure 3. The HTTP request template used in the DDoS attack on a Russian-language electronics forum

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Cloud Sandbox.

Learn more about the recent cyberattacks deploying DanaBot in this ThreatLabZ post.

About ThreatLabZ
ThreatLabZ is the embedded research team at Zscaler. This global team includes security experts, researchers, and network engineers responsible for analyzing and eliminating threats across the Zscaler security cloud and investigating the global threat landscape. The team shares its research and cloud data with the industry at large to help promote a safer internet.

The Zscaler Zero Trust Exchange
Zscaler manages the world’s largest security cloud. Each day, Zscaler blocks more than 150 million threats to its 4000+ customers. Over the last six months, Zscaler monitored and secured over one trillion cloud application transactions. The Zscaler ThreatLabZ security research team uses state-of-the-art AI and machine-learning technology to analyze Zscaler Zero Trust Exchange traffic and share its findings.

What to read next:
ThreatLabZ October 2021 Report: new Squirrelwaffle loader, expanded Trickbot attack vectors, and double-extortion AtomSilo ransomware

ThreatLabZ September 2021 Report: Fake Olympics streaming, new CloudFall campaign, and heightened skimmer activity signal busy fall cybersecurity season

ThreatLabZ Research: 2020 State of Encrypted Attacks