HomeVulnerabilityDanaBot malware operators uncovered by way of C2 bug added in 2022

DanaBot malware operators uncovered by way of C2 bug added in 2022

A vulnerability within the DanaBot malware operation launched in June 2022 replace led to the identification, indictment, and dismantling of their operations in a latest regulation enforcement motion.

DanaBot is a malware-as-a-service (MaaS) platform energetic from 2018 by means of 2025, used for banking fraud, credential theft, distant entry, and distributed denial of service (DDoS) assaults.

Zscaler’s ThreatLabz researchers who found the vulnerability, dubbed ‘DanaBleed,’ clarify {that a} reminiscence leak allowed them to achieve a deep peak into the malware’s inside operations and the individuals behind it.

Leveraging the flaw to gather worthwhile intelligence on the cybercriminals enabled a world regulation enforcement motion named ‘Operation Endgame’ to take DanaBot infrastructure offline and indict 16 members of the risk group.

DanaBleed

The DanaBleed flaw was launched in June 2022 with DataBot model 2380, which added a brand new command and management (C2) protocol.

A weak spot within the new protocol’s logic was within the mechanism that generated the C2 server’s responses to shoppers, which was supposed to incorporate randomly generated padding bytes however did not initialize newly allotted reminiscence for these.

See also  THN Cybersecurity Recap: High Threats, Instruments and Traits (Oct 7

Zscaler researchers collected and analyzed numerous C2 responses that, because of the reminiscence leak bug, contained leftover information fragments from the server’s reminiscence.

This publicity is analogous to the HeartBleed downside found in 2014, impacting the ever present OpenSSL software program.

Because of DanaBleed, a broad array of personal information was uncovered to the researchers over time, together with:

  • Menace actor particulars (usernames, IP addresses)
  • Backend infrastructure (C2 server IPs/domains)
  • Sufferer information (IP addresses, credentials, exfiltrated data)
  • Malware changelogs
  • Non-public cryptographic keys
  • SQL queries and debug logs
  • HTML and net interface snippets from the C2 dashboard

For over three years, DanaBot operated in a compromised mode with out its builders or shoppers ever realizing they had been being uncovered to security researchers.

This allowed focused regulation enforcement motion when sufficient information had been collected.

Leaked HTML data on the C2 server responses
Leaked HTML information on the C2 server responses
Supply: Zscaler

Though DanaBot’s core workforce in Russia was merely indicted and never arrested, the seizure of important C2 servers, 650 domains, and practically $4,000,000 in cryptocurrency has successfully neutralized the risk for now.

See also  Apple Rushes to Patch Zero-Day Flaws Exploited for Pegasus Spy ware on iPhones

It’s not unlikely that the risk actors try to return to cybercrime operations sooner or later, however decreased belief from the hackers’ neighborhood shall be a major impediment for them.

Tines Needle

Patching used to imply advanced scripts, lengthy hours, and limitless fireplace drills. Not anymore.

On this new information, Tines breaks down how trendy IT orgs are leveling up with automation. Patch sooner, scale back overhead, and concentrate on strategic work — no advanced scripts required.

- Advertisment -spot_img
RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular