Suspected creeps behind DanaBot malware that hit 300K+ computers revealed

The US Department of Justice has unsealed indictments against 16 people accused of spreading and using the DanaBot remote-control malware that infected more than 300,000 computers, plus operating a botnet of the same name, and appears set to shutter its operations.

The indictments [PDF], first filed in 2022, name the alleged heads of the DanaBot operation, plus developers, administrators, marketers, affiliate managers, customer support representatives, hardware managers, and some users. All are based in Russia and remain at large.

There are two variants of DanaBot. One is available to rent – malware-as-a-service-style – via the dark web. It costs $1,000 a month; there are various packages rising to $4,000 that include the malware, support software, an API, a testing engine, and in-person tech support.

They’re operating under the graces of the government and then probably under the watchful gaze of the intelligence agencies

Crooks renting this variant spam out the thing in hope of tricking marks into running the code. Once a host computer is infected, the software harvests login credentials using a keylogger, takes screenshots, and intercepts network traffic, all so that its operators can raid the online bank accounts and crypto-wallets of victims. The malware communicates with multiple tiers of command-and-control servers via Tor.

The other variant, which isn’t available to rent, is focused on espionage: Kinda like the banking version, the malware records keystrokes, and takes screengrabs of infected users’ desktops as well videoing them. DanaBot’s masters aimed it at targets in the military, diplomatic corps, and government.

Josh Hopkins, threat research manager at Team Cymru, who worked on Uncle Sam’s investigation into DanaBot, told The Register the bot’s operators were probably working with Moscow.

“The clue is in where the actors are based, and the way that the criminal and political world is intertwined in Russia,” he said. “You know that they’re operating under the graces of the government and then probably under the watchful gaze of the intelligence agencies there. And what better way to do a more targeted espionage campaign than try and cover it up as if it’s just criminality?”

According to a statement [PDF] by FBI special agent Elliott Peterson, several banks have suffered millions in losses due to DanaBot infections. The Feds believe the banking variant of the malware infected more than 300,000 computers around the world, and the total amount stolen could exceed $50 million.

“Today’s announcement represents a significant step forward in the FBI’s ongoing efforts to disrupt and dismantle the cyber-criminal ecosystem that wreaks havoc on global digital security,” said Special Agent in Charge Rebecca Day of the FBI Anchorage Field Office.

Last year, police from Europe, the UK, and the USA launched “Operation Endgame” to disrupt malware botnets. That effort had some success.

The DanaBot indictments are part of Operation Endgame II, and according to the timer on the operation’s website something bad is going to happen to the network – and maybe some of its operators – on Friday.

Hopkins hinted at what might happen when the timer reaches zero.

“We would see upwards of 30 or so [DanaBot] servers on any particular day, sometimes more than that,” he said. “When we looked yesterday, I think there were six servers active and today there were two. The two servers that we saw today are hosted by Alibaba, so I imagine there’s been some challenges with taking those ones down, but broadly speaking everything else has been dealt with.” ®

READ MORE HERE