The U.S. Department of Justice (DOJ) announced on Thursday the online infrastructure disruptions related to Danabot (aka Danatools) that the sealed charges against 16 people are allegedly involved in the development and deployment of malware, which is said to be managed by a Russian-based cybercriminal organization.
The malware infected more than 300,000 victim computers around the world, promoting fraud and ransomware, and said it caused at least $50 million in damages. Two of the accused, Alexander Stefanov (aka Zimby), 39, and Artem Alexandrovich Kalinkin (aka Onix), 34, both of whom are from Novosibirsk, Russia, are now common.
Stepanov is charged with conspiracy, conspiracy to commit wire fraud and bank fraud, aggravated identity theft, unauthorized access to protected computers, unauthorized access to obtain information, unauthorized failure of protected computers, eavesdropping and using intercepted communications. Kalinkin is accused of conspiracy to gain unauthorized access to a computer to obtain information, obtain unauthorized access to a computer and fraudulently commit fraudulent failures to a protected computer.
Unsealed criminal charges and indictments show that many of the defendants counting Kalinkin have accidentally exposed their real identity after infecting their systems with malware.
“In some cases, such autoinfections appeared to be intentional to test, analyze or improve malware,” complained. [PDF] read. “In other cases, infections appeared to be careless. One of the risks of committing a cybercrime is that criminals can accidentally infect their own malware.”
“Inadvertent infections often result in sensitive and compromised data stolen from an actor’s computer by malware, and are stored on the Danabot server, including data that helps identify members of the Danabot organization.”
If convicted, Kalinkin is expected to face a statutory maximum sentence of 72 years in federal prison. Stefanov will face a five-year sentence. Concurrent with the lawsuit, law enforcement efforts carried out as part of Operation Endgame have seized Danabot’s Command and Control (C2) servers, including dozens of virtual servers hosted in the US.
“Danabot malware used a variety of methods to infect victim computers, including malicious attachments and spam email messages containing hyperlinks,” DOJ said. “Victim computers infected with Danabot malware have become part of a botnet (a network of compromised computers) allowing botnet operators and users to remotely control infected computers in a coordinated way.”
Danabot operates under a Malware as Malware (MAAS) scheme, like the recently dismantled Lumma Stealer Malware, with administrators leasing out access from “thousands of dollars” a month. Tracked under Monica’s Scully Spider and Storm 1044 are multi-functional tools along the lines of Emotet, Trickbot, Qakbot, and IcedID, which serve as stolen items and delivers the next stage payloads of ransomware and more.
Delphi-based modular malware is equipped to suck data from victim computers, hijacking banking sessions, device information, user browsing history, stored account credentials, and crypto wallet information. It also allows you to capture full remote access, log keystrokes, and video. He has been active in Wild since his debut when he began as a bank Trojan horse in May 2018.
“After initially targeting victims in Ukraine, Poland, Italy, Germany, Austria and Australia, Danabot expanded its targeting stance to include US- and Canada-based financial institutions in October 2018,” he said. “The popularity of malware has increased due to early module developments supporting Zeus-based web injectors, information steeler capabilities, keystroke logging, screen recording, and hidden virtual network computing (HVNC) capabilities.”
According to Black Lotus Labs and Team Cymru, Danabot employs a tiered communications infrastructure between the victim and the botnet controller, where C2 traffic is proxied through two or three server tiers before reaching the final level. At least 5-6 Tier-2 servers were active at any time. The majority of Danabot’s victims are concentrated in Brazil, Mexico and the United States.
“Operators have shown their commitment to crafting by adapting to detection and change in the company’s defense, and subsequent iterations to insulate stage C2S and obfuscating the tracking,” the company said. “During this time, they made the bots more user-friendly thanks to structured pricing and customer support.”
The DOJ said Danabot administrators operated a second version of the botnet, specifically designed to target victim computers for military, diplomatic, government and related entities in North America and Europe. Introducing in January 2021, this variant is equipped with the ability to record all interactions happening on the victim device and send data to another server.
“A wide range of malware like Danabot hurts hundreds of thousands of victims around the world, including sensitive military, diplomatic and government organizations, causing millions of dollars,” said Bill Essayri, a lawyer for the Central District of California.
DOJ also praised several private sector companies, Amazon, Crowdstrike, ESET, Flashpoint, Google, Intel 471, Lumen, PayPal, Proofpoint, Spycloud, Team Cymru, and Zscaler, to provide “valuable support.”
Some of the notable aspects of Danabot, edited from various reports, can be found below –
Danabot’s Subbotnet 5 receives a command to download a Delphi-based executable and conducts an HTTP-based deny distribution (DDOS) attack to launch an attack on Ukraine’s National Security and Defense Council (NSDC) on March 25, 2022, shortly after a 25-day Danabis residency in Danabos. Danabot operators, which are likely to be used for spying purposes for further intelligence gathering activities on behalf of the Russian government’s interests, have been providing them regularly since 2022 to focus on avoiding defense. Collections, “online servers” that manage mouse functionality, “clients” for collected logs and bot management, and “servers” that handle bot generation, packaging, and C2 communications Danabot are used in targeted spy attacks against government officials in the Middle East and Eastern Europe, and Danabot authors provide authors as Malabot authors. By establishing and managing your own botnet using private servers, Danabot developers will partner with authors of several malware cryptographic and loaders, such as Matanbuchus, to offer special pricing for Danabot’s distribution bundles, maintaining 150 active tier 1 C2 servers per day, bringing about 1,000 or more casualties per day in 40 countries.
Proofpoint, who first identified and appointed Danabot in May 2018, said the disruption in Operation MAAS is a victory for the defenders and affects the cybercrime threat landscape.
“The confusion of cybercrime and law enforcement actions not only undermine the functionality of the malware, but also imposes the cost of threatening actors by forcing them to change tactics, causing distrust in the criminal ecosystem and making criminals think about finding another career.
“These successes for cybercriminals only occur when business IT teams and security service providers share much needed insights about the biggest threats to society and impact the most people around the world. Law enforcement can be used to track servers, infrastructure, and criminal organizations behind attacks.
DOJ seals accusations against Qakbot leaders
The development came as an unsealed accusation by the DOJ against Rustam Rafailevich Gallyamo, a 48-year-old Moscow resident, due to a major effort to develop and maintain the disrupted Qakbot malware in August 2023’s multinational business.
“Gallyamov has developed, deployed and controlled Qakbot malware since 2008,” DOJ said. “Since 2019, GallyAmov has reportedly infected thousands of victim computers around the world in order to establish a network or “botnet” of infected computers. ”
Following the takedown, the DOJ revealed that Galyamov and his co-conspirators continued their criminal activities by gaining unauthorized access to the victim network and switching to other tactics like “spam bomb” attacks to deploy ransomware families such as Black Busta and Sabotes. Court documents recently condemned electronic crime groups engaged in these methods in January 2025.
“Gallyamov’s bot network was crippled by talented FBI men and women in 2023, but he deployed an alternative to make malware available to criminal cybergangs who run ransomware attacks on innocent victims around the world.”
Source link
