As introduced by the US Division of Justice \u2013 the FBI and US DoD\u2019s Protection Prison Investigative Service (DCIS) have managed to disrupt the infrastructure of the infamous infostealer, Danabot. ESET is likely one of the many cybersecurity corporations to take part on this long-term endeavor, changing into concerned again in 2018. Our contribution included offering technical analyses of the malware and its backend infrastructure, in addition to figuring out Danabot\u2019s C&C servers. The joint takedown effort additionally led to the identification of people liable for Danabot improvement, gross sales, administration, and extra. ESET took half within the effort alongside with Amazon, CrowdStrike, Flashpoint, Google, Intel471, PayPal, Proofpoint, Staff Cymru, Zscaler, Germany\u2019s Bundeskriminalamt, the Netherlands’ Nationwide Police, and the Australian Federal Police.<\/p>\n
These regulation enforcement operations had been performed below Operation Endgame<\/a> \u2013 an ongoing international initiative aimed toward figuring out, dismantling, and prosecuting cybercriminal networks. Coordinated by Europol and Eurojust<\/a>, the operation efficiently took down crucial infrastructure used to deploy ransomware by means of malicious software program.<\/p>\n Since Danabot has largely been disrupted, we’ll use this chance to share our insights into the workings of this malware-as-a-service (MaaS) operation, masking the options used within the newest variations of the malware, the authors\u2019 enterprise mannequin, and an outline of the toolset provided to associates. Aside from exfiltrating delicate information, we now have noticed that Danabot can also be used to ship additional malware \u2013 together with ransomware \u2013 to an already compromised system.<\/p>\n Key factors of the blogpost:<\/strong><\/p>\n Danabot, which belongs to a gaggle of infostealer and\/or banking malware households coded within the Delphi programming language, gained prominence in 2018 by being utilized in a spam marketing campaign<\/a> focusing on Australian customers. Since then, Danabot has expanded<\/a> to different markets by means of varied campaigns, undergone a number of main updates<\/a> of its internals and backend infrastructure, and skilled each peaks and downturns in recognition amongst cybercriminals.<\/p>\n All through our monitoring since 2018, ESET has tracked and analyzed a considerable variety of distinct samples and recognized greater than 1,000 distinctive C&C servers. Throughout that interval, ESET analyzed varied Danabot campaigns all around the world, with Poland traditionally being some of the focused nations, as seen in Determine 1.<\/p>\n Along with typical cybercrime, Danabot has additionally been utilized in much less typical actions similar to using compromised machines for launching DDoS assaults. For instance, a DDoS assault towards Ukraine\u2019s Ministry of Protection was noticed by Zscaler<\/a> quickly after the Russian invasion of Ukraine. A really related DDoS module to the one utilized in that assault was additionally utilized by a Danabot operator to focus on a Russian website devoted to Arduino<\/a> improvement. These actions had been in all probability motivated by the affiliate\u2019s personal ambitions and political motivations.<\/p>\n The authors of Danabot function as a single group, providing their software for hire to potential associates, who subsequently make use of it for their very own malicious functions by establishing and managing their very own botnets. The authors have even arrange a assist web page on the Tor community with detailed details about the capabilities of their software, as depicted in Determine 2.<\/p>\n To accumulate new prospects, Danabot is ceaselessly promoted in underground boards by the consumer JimmBee, who acts as one of many predominant builders and directors of the Danabot malware and its toolset. One other noteworthy particular person from the Danabot group is a consumer recognized in underground boards as Onix, who coadministers the Danabot infrastructure and can also be liable for gross sales operations.<\/p>\n Danabot\u2019s authors have developed an enormous number of options to help prospects with their malevolent goals. Probably the most outstanding options provided by Danabot embody:<\/p>\n Apart from using its stealing capabilities, we now have noticed a wide range of payloads being distributed by means of Danabot through the years, similar to:<\/p>\n Moreover, we now have encountered cases of Danabot getting used to obtain ransomware onto already compromised techniques. We are able to identify LockBit, Buran, Disaster, and a NonRansomware variant<\/a> being pushed on a number of events.<\/p>\n Danabot\u2019s means to obtain and execute arbitrary payloads will not be the one characteristic used to distribute extra malware. Danabot was additionally noticed getting used as a software at hand off management of the botnet to a ransomware operator, as reported by Microsoft Menace Intelligence<\/a> in late 2023.<\/p>\n All through its existence, in line with our monitoring, Danabot has been a software of selection for a lot of cybercriminals and every of them has used totally different technique of distribution. Danabot\u2019s builders even partnered with the authors of a number of malware cryptors and loaders, and provided particular pricing for a distribution bundle to their prospects, serving to them with the method. Matanbuchus<\/a> is an instance of such a promoted loader.<\/p>\n Over time, we now have seen all kinds of distribution strategies being utilized by Danabot associates, together with:<\/p>\n Lately, out of all distribution mechanisms we noticed, the misuse of Google Adverts to show seemingly related, however really malicious, web sites among the many sponsored hyperlinks in Google search outcomes stands out as some of the outstanding strategies to lure victims into downloading Danabot. The preferred ploy is packing the malware with professional software program and providing such a package deal by means of bogus software program websites (Determine 3) or web sites falsely promising customers to assist them discover unclaimed funds (Determine 4).<\/p>\n The newest addition to those social engineering methods: misleading web sites providing options for fabricated laptop points, whose solely goal is to lure the sufferer into execution of a malicious command secretly inserted into the consumer\u2019s clipboard. An instance of such an internet site resulting in downloading of Danabot in Determine 5.<\/p>\n Initially, Danabot\u2019s authors relied on a single centralized server to handle all bots\u2019 connections and all associates\u2019 information, similar to command configurations and information collected from their victims. This centralized method definitely had a detrimental influence on that server\u2019s efficiency and was extra susceptible to potential disruptions. That is in all probability one of many the reason why we noticed a shift within the enterprise and infrastructure fashions in newer variations. Along with renting locations on their very own infrastructure, Danabot\u2019s authors now supply set up of a personal server, as marketed on their assist website, to be operated by the affiliate (Determine 6).<\/p>\n The rental choices, as provided by means of an underground discussion board in July 2023, are illustrated in Determine\u00a07.<\/p>\n It’s value mentioning that, based mostly on our monitoring, the rental of an account on the shared infrastructure managed by Danabot\u2019s authors appears to be the most well-liked selection for risk actors.<\/p>\n When associates buy a rental of one of many choices, they’re given instruments and credentials to hook up with the C&C server and handle their very own botnet by means of an administration panel. Within the following sections, we cowl the totally different components of the everyday toolset.<\/p>\n The standalone server software comes within the type of a DLL file and acts because the mind of the botnet. It’s put in on a Home windows server and makes use of a MySQL database for information administration. Bots connect with this server to transmit stolen information and obtain instructions issued by associates. Associates connect with this server through the administration panel software to handle their botnet. This C&C server software is offered for native set up just for associates paying for the upper tier private server possibility. Associates who select to function their botnets on Danabot\u2019s infrastructure as a substitute are given connection particulars to the C&C server already arrange there, and don’t have to host their very own C&C server.<\/p>\n The administration panel, displayed in Determine 8, is within the type of a GUI software, and represents crucial software from the botnet operator\u2019s perspective. It permits the affiliate to hook up with the C&C server and carry out duties similar to:<\/p>\n We offer extra particulars and examples of essentially the most fascinating capabilities of the administration panel within the upcoming sections.<\/p>\n One other essential software for administration is the standalone utility that permits botnet operators to remotely connect with and management their on-line bots. Out there actions for distant management, as seen within the software, are illustrated in Determine 9. In all probability essentially the most fascinating options for cybercriminals are the power to see and management the sufferer\u2019s laptop through a distant desktop connection and to carry out reconnaissance of the file system utilizing the built-in file supervisor.<\/p>\n Bots sometimes don’t connect with the principle C&C server immediately, however relatively use a series of proxies to relay the site visitors and conceal the placement of the true backend C&C. To facilitate this technique, Danabot\u2019s authors present a proxy server software, accessible for each Home windows and Linux techniques. Determine 10 exhibits the utilization message from the Linux model of this easy proxy server software. Apart from utilizing proxies, bots will be configured to speak with the server by means of the Tor community in case all proxy chains grow to be unavailable. An elective downloadable Tor module is then used for such communication.<\/p>\n Associates additionally ceaselessly make the most of this proxy server software as an middleman between their administration panel and the C&C server to additional improve their anonymity. When the whole lot is put collectively, the everyday infrastructure could look as proven in Determine 11.<\/p>\n Danabot employs its personal proprietary C&C communication protocol with its information encrypted utilizing AES-256. Generated AES session keys, distinctive for each message, are then additional encrypted utilizing RSA key pairs, securing the entire communication. It\u2019s value mentioning that there have been a number of updates to the communication protocol and the packet construction over time.<\/p>\n The present packet information construction of the everyday command, earlier than it’s encrypted, appears to be like as proven in Desk 1 . We wish to level out that many of the fields are solely used through the first request within the communication loop to authenticate the bot, and are left unset within the subsequent instructions.<\/p>\n Desk 1. Packet construction utilized in Danabot communication<\/em><\/p>\n\n
\n
Background<\/h2>\n
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/05-25\/danabot\/figure-1.png\" "\\"Figure")
Danabot group introduction<\/h2>\n
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/05-25\/danabot\/figure-2.png\" "\\"Figure")
Function overview<\/h2>\n
\n
\n
Distribution strategies<\/h2>\n
\n
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/05-25\/danabot\/figure-3.png\" "\\"Figure")
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/05-25\/danabot\/figure-4.png\" "\\"Figure")
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/05-25\/danabot\/figure-5.png\" "\\"Figure")
Infrastructure<\/h2>\n
Overview<\/h3>\n
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/05-25\/danabot\/figure-6.png\" "\\"Figure")
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/05-25\/danabot\/figure-7.png\" "\\"Figure")
C&C server software<\/h3>\n
Administration panel<\/h3>\n
\n
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/05-25\/danabot\/figure-8.png\" "\\"Figure")
Backconnect software<\/h3>\n
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/05-25\/danabot\/figure-9.png\" "\\"Figure")
Proxy server software<\/h3>\n
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/05-25\/danabot\/figure-10.png\" "\\"Figure")
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/05-25\/danabot\/figure-11.png\" "\\"Figure")
Internals<\/h2>\n
Communication<\/h3>\n
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/05-25\/danabot\/figure-12.png\" "\\"Figure")
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/05-25\/danabot\/figure-13.png\" "\\"Figure")
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/05-25\/danabot\/figure-14.png\" "\\"Figure")
![\"\"](\"https:\/\/web-assets.esetstatic.com\/wls\/eti-eset-threat-intelligence.png\")
<\/a><\/p>\n<\/div>\n\n","protected":false},"excerpt":{"rendered":"