Law enforcement in the United States and Europe this week disrupted the infrastructure of the long-running DanaBot malware-as-a-service (MaaS) operation that authorities said infected more than 300,000 systems and caused more than $50 million in damages.
The U.S. Justice Department (DOJ) also charged 16 people in connection with the Russian-based cybercriminal network, including two Russian nationals – Aleksandr Stepanov, also known as “JimmBee,” and Artem Aleksandrovich Kalinkin (“Onix”) – for conspiracy, aggravated identity theft, wiretapping, and other charges. Both are said to be in Russia and have not been arrested.
The case, in which law enforcement agencies were aided by a dozen cybersecurity and tech companies, took down an operation that had been active since 2018 and was controlled by a Russian cybercrime syndicate. The developers of DanaBot and their affiliates used the malware to not only roll up computers into a botnet that they controlled, but also as an info-stealing malware and an access tool used to deploy ransomware and other malware, according to an indictment outlining operation.
The victims included small businesses, large financial institutions, and U.S. and foreign government agencies.
Part of Operation Endgame
The move against DanaBot – which is part of the ongoing anti-bot Operation Endgame by law enforcement in Europe, the United States, and other countries – is one of a number of similar operations aimed at disrupting global cybercriminal operations and the latest example of such proactive initiatives that have been ongoing for several years. Also this week, law enforcement agencies and tech vendors seized thousands of domains used to spread the notorious Lumma Stealer malware.
In addition, the DOJ indicted 48-year-old Russian national for allegedly creating the malware behind the Qakbot botnet in 2008 that ran for more than a decade and infected more than 700,000 systems before being taken down by law enforcement in 2023.
According the indictment, the DanaBot operators would give affiliates access to the malware and related support system for $3,000 to $4,000 a month, with the affiliates then using it to launch cyberattacks. The operation included servers that distributed the malware, backend servers that stored stolen information, command-and-control (C2) servers, and proxy servers that obfuscated the hackers’ activities.
Researchers with CrowdStrike, which participated in the takedown, wrote in a report that DanaBot started by targeting victims in Ukraine, Poland, Italy, Germany, Austria, and Australia before targeting financial institutions based in the United States and Canada later in 2018.
“The malware’s popularity grew due to its early modular development supporting Zeus-based web injects, information stealer capabilities, keystroke logging, screen recording, and hidden virtual network computing (HVNC) functionality,” they wrote. “Between 2018 and 2021, DanaBot maintained its popularity as it gradually transitioned from [a] banking trojan toward being leveraged as a distribution platform for other malware families.”
Suspected Russian Support
They wrote that the Russian-based group Scully Spider developed and operated DanaBot and the MaaS business. What made DanaBot atypical from other cybercriminal operations was the “Russian government’s tolerance of its activities,” they added.
“Despite having ample capability to investigate and prosecute these criminals operating within Russian borders, there is no public evidence authorities have taken legal action, a pattern that suggests these cybercriminals serve as proxy forces applying pressure on Western nations while maintaining plausible deniability for the Russian state,” they wrote.
They noted that there were two DanaBot sub-botnets that were used for cyberespionage purposes, though they said it was unclear how the stolen data was used.
“We think this direct use of criminal infrastructure for intelligence gathering activities provides evidence that SCULLY SPIDER operators were acting on behalf of Russian government interests,” they wrote. “Such dual use of criminal infrastructure for state espionage represents a cornerstone of Russia’s hybrid cyber strategy, allowing the government to maintain distance from operations while benefiting from their outcomes.”
DDoS Attack Against Ukraine
Affiliates also used the DanaBot malware for political reasons, according to researchers with ESET, which also participated in the operation. They pointed to a distributed denial-of-service (DDoS) attack launched against Ukraine’s Defense Ministry soon after Russia invaded its smaller neighbor in 2022
“A very similar DDoS module to the one used in that attack was also used by a Danabot operator to target a Russian site dedicated to Arduino development,” the ESET researchers wrote, referring to the open source hardware and software platform. “These actions were probably motivated by the affiliate’s own ambitions and political motivations.”
CrowdStrike researchers also pointed to the DDoS attack in Ukraine as further evidence of the group’s ties to the Russian government.
Self-Infecting
In an unusual twist, an FBI agent that investigated the case wrote in the indictment that he was able to gain information from DanaBot through the operators’ own systems because they had infected themselves with the DanaBot malware. At times, it was likely done purposely to test and improve the malware.
“In other cases, the infections seemed to be inadvertent – one of the hazards of committing cybercrime is that criminals will sometimes infect themselves with their own malware by mistake,” the agent wrote. “The inadvertent infections often resulted in sensitive and compromising data being stolen from the actor’s computer by the malware and stored on the DanaBot servers, including data that helped identify members of the DanaBot organization.”
Racking Up the Wins
Operation Endgame was announced last year as a multinational effort by the U.S., Europe, and other countries to shut down global cybercriminal operations. According to Europol, the effort has led to the shuttering or disrupting of a range of such operations that include DanaBot, Bumbleebee, Trickbot, and Warmcookie.
Joining authorities in the initiative against DanaBot were such vendors as Amazon, Flashpoint, Google, Intel 471, Lumen, PayPal, Proofpoint, Spycloud, Team CYMRU, and Zscaler, as well as CrowdStrike and ESET,
