A global collection of private defenders and law enforcement agencies notched another win against a core facilitator for cybercrime, initiating coordinated seizures and takedowns of DanaBot’s command and control servers, disrupting the malware-as-a-service’s operations, the Justice Department said Thursday.
Federal officials also unsealed a grand jury indictment and criminal complaint charging 16 individuals for their alleged involvement in the development and deployment of DanaBot. The malware, which was initially developed as a banking trojan in 2018, was updated multiple times and eventually used as an information stealer and loader for follow-on malware, according to threat researchers.
The Russia-based cybercrime organization that controlled and deployed DanaBot ultimately infected more than 300,000 computers globally, resulting in fraud and ransomware, causing at least $50 million in damage, the DOJ said.
The successful break-up of DanaBot, which became part of a global botnet, marks the second high-profile law enforcement takedown of a widespread malware operation in as many days. Global law enforcement authorities and cybersecurity companies on Wednesday toppled the prolific Lumma Stealer infostealer operation, which infected about 10 million systems.
The takedowns and indictments mark a flurry of law enforcement activity against cybercrime as part of Operation Endgame — a broader and ongoing international law enforcement effort to dismantle and prosecute cybercriminal organizations.
The DOJ on Thursday also unsealed a federal indictment charging Rustam Rafailevich Gallyamov, 48, of Moscow, Russia, with allegedly leading the cybercrime group responsible for the development and deployment of the Qakbot malware operation, which was disrupted by international law enforcement in 2023. Authorities said they seized over $24 million in cryptocurrency from Gallyamov during their investigation.
A countdown clock on the Operation Endgame site indicates more news in the fight against cybercrime will be announced Friday morning.
Authorities named two of the 16 defendants accused of operating DanaBot: Aleksandr Stepanov, 39, and Artem Aleksandrovich Kalinkin, 34, both residents of Novosibirsk, Russia. Kalinkin and Stepanov are not in custody and believed to be in Russia, the DOJ said. The United States doesn’t have an extradition treaty with Russia.
DanaBot included multiple features that allowed cybercriminals to hijack banking sessions and steal data from infected computers, including account credentials, device information, browsing histories and cryptocurrency wallet information, experts said. DanaBot was also used to achieve full remote access to victim computers to record keystrokes and videos of users’ activities.
The DOJ said a second version of the botnet targeted computers in military, government and diplomatic operations. This variant targeted military officials, diplomats and law enforcement personnel in North America and Europe, sending stolen data to a different server than the fraud-oriented version of DanaBot, officials said.
This mix of espionage and cybercrime distinguishes DanaBot, which CrowdStrike tracks as Scully Spider, from typical financially motivated operations, the cybersecurity firm’s threat researchers said in a Thursday blog post.
“Though it is unclear how the collected data was used, we think this direct use of criminal infrastructure for intelligence-gathering activities provides evidence that Scully Spider operators were acting on behalf of Russian government interests,” CrowdStrike said.
Said Kenneth DeChellis, special agent in charge of the Department of Defense Office of Inspector General, Defense Criminal Investigative Service (DCIS), Cyber Field Office: “The enforcement actions announced today, made possible by enduring law enforcement and industry partnerships across the globe, disrupted a significant cyber threat group, who were profiting from the theft of victim data and the targeting of sensitive networks. The DanaBot malware was a clear threat to the Department of Defense and our partners.”
The FBI’s Anchorage Field Office and DCIS led the investigation into DanaBot, with assistance from federal police agencies in Germany, the Netherlands and Australia. Multiple cybersecurity companies also aided the investigation and takedown operation, including Amazon, CrowdStrike, ESET, Flashpoint, Google, Intel 471, Lumen, PayPal, Proofpoint, Team CYMRU and ZScaler.
The post DanaBot malware operation seized in global takedown appeared first on CyberScoop.
–
Read More – CyberScoop
