The United States has just destroyed the online infrastructure of Danabot, a formidable malware programmed to steal its victims' data. Before its infrastructure collapsed, the virus had managed to hack 300,000 computers worldwide. It has caused 50 million damages since its creation.
The continuation of Operation Endgame
The dismantling of Danabot is a direct result of Operation Endgame, initiated by Europol last May. Presented as "the largest operation ever carried out", it has already led to the downing of dangerous and widespread viruses, such as IcedID, SystemBC, Pikabot, and Smokeloader. More recently, the operation also resulted in the destruction of six other malware programs, namely Bumblebee, Lactrodectus, Qakbot, DanaBot, Trickbot, and Warmcookie. To bring down Danabot, the U.S. justice system partnered with several technology and cybersecurity giants, including Google, Amazon, Intel, ESET, Crowdstrike, and Proofpoint.
Following the infrastructure seizure, the U.S. Department of Justice indicted 16 people accused of developing and deploying DanaBot. The virus was allegedly developed by a Russian-based cybercriminal organization. All those charged remain free. They are located on Russian soil. The hackers are not at risk of extradition to the United States, a fact that Moscow has shown leniency toward cybercriminals. Josh Hopkins, a researcher at Cymru who is involved in the Washington investigation, said the Danabot hackers were "acting with the blessing of the government, and likely under the watchful eye of intelligence agencies." According to Selena Larson, a cybersecurity researcher at Proofpoint, it's possible that the law enforcement assaults could eventually convince the hackers to abandon the criminal underworld. Takedown operations impose "costs on threat actors by forcing them to change their tactics, create distrust in the criminal ecosystem, and potentially lead criminals to consider finding a different career.".
What was Danabot capable of?
Emerged in 2018, Danabot specializes in data theft. Once the system has been compromised, it is capable of orchestrating the theft of sensitive data, including logins or passwords, distributing other viruses, and conducting financial fraud. The virus is capable of stealing banking details or private keys linked to crypto wallets. Finally, the malware was able to film users of the infected computer and spy on every word typed on the keyboard.
According to experts at CrowdStrike, DanaBot initially targeted computers in Ukraine, Poland, Italy, Germany, Austria, and Australia. The virus quickly moved on to targets in the United States and Canada, such as financial institutions.
According to the U.S. justice system, all the hacked computers were part of a giant botnet, a network of infected devices. Danabot was offered under a "Malware-as-a-Service" (MaaS) model. Through a subscription, any hacker could use Danabot to facilitate their activities. The subscription cost several thousand dollars per month. Danabot was particularly exploited by cybercriminals specializing in ransomware attacks. To spread, the virus hid in phishing emails with malicious attachments or booby-trapped links.
In fact, there were two versions of Danabot. A rental variant, aimed at hackers looking to make money, and an espionage edition, reserved for specific needs. This edition was used to conduct espionage operations against "sensitive military, diplomatic, and government entities," according to the U.S. Department of Justice.
The fall of Danabot is a new blow to the criminal ecosystem, already marked by the collapse of other viruses massively used by hackers. A few days ago, for example, the American justice system, Europol, and the Japanese Cybercrime Control Center put an end to Lumma Stealer, another virus specialized in data extraction.
Source: Justice.gov
0 Comments