DanaBot botnet disrupted, QakBot leader indicted
Operation Endgame, mounted by law enforcement and judicial authorities from the US, Canada and the EU, continues to deliver positive results by disrupting the DanaBot botnet and indicting the leaders of both the DanaBot and Qakbot Malware-as-a-Service operations.
Operation Endgame 2.0
Coordinated by Europol and Eurojust, the operation was first made public a year ago, when it disrupted the global infrastructure used to deliver malware droppers and trojans – SystemBC, Bumblebee, SmokeLoader, IcedID, and Pikabot – and led to the arrest of a number of suspects involved in the distribution operations.
As Shadowserver Foundation’s CEO Piotr Kijewski recently noted, the action made a dent, though some loaders have “returned”.
The results of a new stage of the operation have been shared this week.
“From 19 to 22 May, authorities took down some 300 servers worldwide, neutralised 650 domains, and issued international arrest warrants against 20 targets, dealing a direct blow to the ransomware kill chain,” Europol announced on Friday.
“This latest phase (…) targeted new malware variants and successor groups that re-emerged after last year’s takedowns, reinforcing law enforcement’s capacity to adapt and strike back – even as cybercriminals retool and reorganise.”
This time around, the operation moved to neutralize the distribution of a variety of malware loaders that are used to pave the way for large-scale ransomware attacks: Bumblee, Hijackloader, Lactrodectus, Qakbot, DanaBot, Trickbot and the Warmcookie backdoor.
On Thursday, the US Department of Justice (US Doj) has unsealed charges against 16 defendants who allegedly developed and deployed the DanaBot malware on more than 300,000 victim computers around the world.
Only two have been named – Aleksandr Stepanov (“JimmBee”) and Artem Aleksandrovich Kalinkin (“Onix”), both residing in Russia.
“The DanaBot malware allegedly operated on a malware-as-a-service model, with the administrators leasing access to the botnet and support tools to client coconspirators for a fee that was typically several thousand dollars a month. The DanaBot malware was multi-featured and had extensive capabilities to exploit victim computers. It could be used to steal data from victim computers, and to hijack banking sessions, steal device information, user browsing histories, stored account credentials, and virtual currency wallet information,” the US DoJ said.
“DanaBot administrators operated a second version of the botnet that was used to target victim computers in military, diplomatic, government, and related entities. This version of the botnet recorded all interactions with the computer and sent stolen data to a different server than the fraud-oriented version of DanaBot. This variant was allegedly used to target diplomats, law enforcement personnel, and members of the military in North America, and Europe.”
The two suspects have not been apprehended, but the botnets’ command and control servers have been seized, and the US government is working with partners (including the Shadowserver Foundation) to notify DanaBot victims and help them clean up their machines.
Also on Thursday, the US DoJ has unsealed charges against Rustam Rafailevich Gallyamov, of Moscow, Russia, who is allegedly the leader of the gang who developed and deployed the Qakbot malware.
“As alleged, once Gallyamov gained access to victim computers, he provided access to co-conspirators who infected the computers with ransomware, including Prolock, Dopplepaymer, Egregor, REvil, Conti, Name Locker, Black Basta, and Cactus. In exchange, Gallyamov was allegedly paid a portion of the ransoms received from ransomware victims,” the US DoJ noted.
The QakBot botnet was crippled in August 2023, when 52 of its servers were seized and the malware was removed from over 700,000 victim computers around the world. At the time, the US authorities also seized $8.6+ million in cryptocurrency from wallets controlled by the Qakbot cybercriminal organization.
After the crippling of the QakBot bot network, the organizations switched to using “spam bomb” attacks agains organizations, to trick their employees into granting them access to company computers, the US DoJ explained.
An ongoing operation
Operation Endgame relies on help from a number of private sector cybersecurity companies (Sekoia, Zscaler, Crowdstrike, Proofpoint, Fox-IT, ESET, and others), non-profits such as Shadowserver and white-hat groups like Cryptolaemus.
“The takedown of DanaBot represents a significant blow not just to an eCrime operation but to a cyber capability that has appeared to align Russian government interests. The case (…) highlights why we must view certain Russian eCrime groups through a political lens — as extensions of state power rather than mere criminal enterprises,” Crowdstrike commented the DanaBot disruption.
Zscaler has shared more about the MaaS DanaBot operation, including a list of 50 nicknames of affiliates. “While the specific effects on DanaBot remain unclear, it is likely that some of the affiliated threat actors will persist in their attacks,” its threat researchers have noted.
“We’ve previously seen disruptions have significant impacts on the threat landscape. For example, after last year’s Operation Endgame disruption, the initial access malware associated with the disruption as well as actors who used the malware largely disappeared from the email threat landscape,” Selena Larson, Staff Threat Researcher at Proofpoint, told Help Net Security.
“Cybercriminal disruptions and law enforcement actions not only impair malware functionality and use but also impose cost to threat actors by forcing them to change their tactics, cause mistrust in the criminal ecosystem, and potentially make criminals think about finding a different career.”
Operation Endgame is not over yet. Europol defines is at as an ongoing and “long-term oriented operation”, and the countdown on its official site suggests additional wins to be revealed in the coming days.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!