The U.S. Department of Justice (DOJ) announced DanaBot malware’s infrastructure disruption on Thursday. This action was part of the broader international law enforcement effort Operation Endgame. Charges were also unsealed against sixteen individuals for their alleged involvement with DanaBot. They are accused of developing and also deploying this sophisticated malware for cybercrime. The DOJ stated a Russia-based cybercrime organization primarily controlled the DanaBot operations. This malware infected over 300,000 victim computers in countries all around the world. It facilitated widespread fraud and various ransomware attacks causing at least $50 million damages. Two key Russian defendants Aleksandr Stepanov and Artem Kalinkin currently remain at large. Many defendants were identified after they accidentally infected their own systems with DanaBot.
DanaBot is a very multi-functional malware tool much like Emotet TrickBot or QakBot. It can effectively act as an information stealer from many compromised computer systems. It also frequently serves as a delivery vector for other dangerous next-stage malware. This includes delivering various well-known ransomware payloads to already infected victim machines. The Delphi-based modular malware is expertly equipped to siphon sensitive data from computers. It can hijack online banking sessions and steal diverse types of device information. It also steals user Browse histories stored account credentials and valuable virtual currency wallets. DanaBot provides full remote system access logs all keystrokes and can capture video. It operated under a malware-as-a-service (MaaS) scheme leasing access to other cybercriminals. Access costs ranged from $500 to several thousand U.S. dollars per month.
DanaBot has been actively used in the wild by criminals since its debut. It initially started its operations as a banking trojan back in May of 2018. It first targeted victims in European countries like Ukraine Poland Italy and also Germany. Later it significantly expanded its targeting posture to include U.S. and Canadian institutions. A second specialized DanaBot version emerged in January 2021 specifically designed for espionage. This variant targeted many military diplomatic and also various government related entities. These sensitive targets were located primarily in North America and also throughout Europe. DanaBot cleverly employed a layered communications infrastructure for its command and control servers. Its operators adapted to detection efforts and offered users structured pricing and customer support. For years it spread via SEO poisoning and malvertising not just email.
This DanaBot takedown is part of the much larger ongoing Operation Endgame initiative.
Endgame previously targeted other malware families like Lumma Stealer Smokeloader and also TrickBot. The latest phase took down about 300 servers and also 650 domains. Concurrently the DOJ unsealed charges against Rustam Gallyamov the alleged QakBot malware leader. Over $24 million in cryptocurrency was seized from Gallyamov during that separate investigation. Numerous private sector cybersecurity firms provided valuable assistance in the DanaBot takedown effort.
Proofpoint which first identified DanaBot called this disruption a significant win for defenders.
Such law enforcement actions impair malware use and impose considerable costs on threat actors. They may also cause mistrust in the criminal ecosystem making cybercrime less attractive. Continued private and public sector collaboration is absolutely crucial to counter these threats.
Reference:
