As announced by the US Department of Justice – the FBI and US DoD’s Defense Criminal Investigative Service (DCIS) have managed to disrupt the infrastructure of the notorious infostealer, Danabot. ESET is one of the many cybersecurity companies to participate in this long-term endeavor, becoming involved back in 2018. Our contribution included providing technical analyses of the malware and its backend infrastructure, as well as identifying Danabot’s C&C servers. The joint takedown effort also led to the identification of individuals responsible for Danabot development, sales, administration, and more. ESET took part in the effort alongside with Amazon, CrowdStrike, Flashpoint, Google, Intel471, PayPal, Proofpoint, Team Cymru, Zscaler, Germany’s Bundeskriminalamt, the Netherlands' National Police, and the Australian Federal Police.
These law enforcement operations were conducted under Operation Endgame – an ongoing global initiative aimed at identifying, dismantling, and prosecuting cybercriminal networks. Coordinated by Europol and Eurojust, the operation successfully took down critical infrastructure used to deploy ransomware through malicious software.
Since Danabot has largely been disrupted, we will use this opportunity to share our insights into the workings of this malware-as-a-service (MaaS) operation, covering the features used in the latest versions of the malware, the authors’ business model, and an overview of the toolset offered to affiliates. Apart from exfiltrating sensitive data, we have observed that Danabot is also used to deliver further malware – including ransomware – to an already compromised system.
Key points of the blogpost:
ESET Research has been tracking Danabot’s activity since 2018 as part of a global effort that resulted in a major disruption of the malware’s infrastructure.
While primarily developed as an infostealer and banking trojan, Danabot also has been used to distribute additional malware, including ransomware.
Danabot’s authors promote their toolset through underground forums and offer various rental options to potential affiliates.
The typical toolset provided by Danabot’s authors to their affiliates includes an administration panel application, a backconnect tool for real-time control of bots, and a proxy server application that relays the communication between the bots and the actual C&C server.
Affiliates can choose from various options to generate new Danabot builds, and it’s their responsibility to distribute these builds through their own campaigns.
Background
Danabot, which belongs to a group of infostealer and/or banking malware families coded in the Delphi programming language, gained prominence in 2018 by being used in............
Interpol Targets Infostealers: 20,000 IPs Taken Down, 32 Arrested, 216,000 Victims Notified
Lumma infostealer malware operation disrupted, 2,300 domains seized