U.S. Shuts Down DanaBot Malware and Charges Its Developers

In a significant development, U.S. federal prosecutors have revealed that a prominent member of the Russian cybercrime organization behind DanaBot inadvertently infected their own device with the malware. This oversight enabled an FBI agent to conduct a forensic analysis of the compromised system. The indictments announced on Thursday include charges against 16 individuals, notably Aleksandr Stepanov, also known as “JimmBee,” and Artem Aleksandrovich Kalinkin, referred to as “Onix,” both hailing from Novosibirsk, Russia.

The Justice Department disclosed that the Defense Criminal Investigative Service has dismantled key command and control servers associated with DanaBot, involving numerous virtual servers located across the United States. A specific allegation in the complaint against Kalinkin suggests that the FBI managed to acquire copies of numerous DanaBot servers. During the investigation, federal agents discovered an active account on a computer belonging to Onix, revealing real-time data exfiltration, which linked him directly to Kalinkin through email identifiers.

U.S. Attorney Bill Essayli emphasized the far-reaching impact of DanaBot, stating, “Pervasive malware like DanaBot harms hundreds of thousands of victims worldwide, including sensitive military, diplomatic, and governmental entities, resulting in substantial financial losses.” Prosecutors estimate that DanaBot has compromised over 300,000 systems globally, leading to damages exceeding $50 million. Analysis by cybersecurity firm ESET highlights Poland as one of the most affected regions, with more than 1,000 unique DanaBot command and control servers documented.

Originally identified in 2018, DanaBot’s origins trace back to 2015, when Stepanov initiated its development. This malware variant has been sold to various affiliates for $3,000 to $4,000 per month, revealing a lucrative underground market. The FBI reports that roughly 40 active customers operated the malware between 2018 and 2021, with most being Russian nationals. The DanaBot architecture uniquely features two versions: one for cybercrimes centered on financial theft and another geared towards espionage activities.

Notably, the espionage variant has infiltrated systems in the United States, Belarus, the United Kingdom, Germany, and Russia, primarily targeting communications related to sensitive diplomatic matters. While the U.S. prosecutors have not yet pursued charges against those using the espionage version, evidence indicates it was employed to gather confidential data, including financial transactions of diplomatic personnel.

In March 2022, DanaBot was utilized in a distributed denial of service (DDoS) attack against the Ukrainian Ministry of Defense’s webmail server. The indictment also implicates unnamed co-conspirators related to these attacks, which coincided with Russia’s military actions against Ukraine. Earlier, in late 2019 and early 2020, DanaBot operators were observed impersonating credible entities, such as the Organization for Security and Co-operation in Europe, to distribute the malware further.

As highlighted by cybersecurity firm CrowdStrike, DanaBot illustrates the complex overlap between organized cybercriminal operations and state-sponsored actions, suggesting that the operators may have acted in alignment with Russian governmental objectives. Additionally, the criminal variant not only targets banking credentials but has increasingly been leveraged to facilitate fraudulent transactions in online retail environments, resulting in extensive financial repercussions for numerous e-commerce platforms.

DanaBot infiltrates systems using a variety of vectors, including phishing campaigns, malvertising, and through compromised software. One notable tactic involved embedding the malware within a JavaScript package downloaded over 8.9 million times weekly. Experts from ESET identified the exploitation of Google Ads, where malicious links masquerading as legitimate results emerged as a prevalent infection strategy.

Furthermore, affiliates have devised misleading IT support websites, misleading users into executing harmful commands on their computers. In light of the evolving threat landscape, business owners must prioritize cybersecurity resilience, recognizing the significant operational risks posed by malware like DanaBot.