The United States Department of Justice (Doj) Issued a series of indictments prior to the weekend of 24-27 May, related to individuals according to involvement in the danabot and quakbot malware services that have caused havoc for Organizations, Facilitating Fraud and Ransomware Attacks and Causing Millions of Dollars of Damage to their Victims.
The indictments related to danabot – which first emerged in 2018 as a banking trojan – Also come amid a Major Takedown of the service orchestrated with multinational law enforcement and private sector partners. This follows in the wake of The lumma stearer takedown Earlier in May, and Saw Us AGENTS SEIZE AND DISMANABOT's Command and Control (C2) Infrastructure, Including Dozens of Virtual Servers Hosted in the Us Itself.
This formed part of the wider, Ongoing Operation Endgame, A Major Global Law Enforcement Collab Targeting Cyber Criminal Gangs, and was supported by the Australians, the Dutch and the Germans. Private Sector Cyber Companies also provided support, Including Amazon, Crowdstrike, ESET, Flashpoint, Google, Intel 471, Lumen, PayPal, Proofpoint, SpyCloud, TEAM CEAMUD, TEAM COMUD, TEAM COMUD Zscaler. Other partners, including the Shadowsers foundationAre now working with the authorities to find, notify and assist danabot victims, of which there are thought to bee hundreds of thoes.
“Pervasive Malware Like Danabot Harms Hundreds of Thousands of Victims Around the World, Including Sensitive Military, Diplomatic, and Government Enties, and Causes Maany Millirs in Dollarses,” SAID United States Attorney Bill Essayli for the Central District of California.
“The Charges and Actions Announced Today Demonstrate Our Commitment to Eradicating The Larges Threats to Global Cyber Security and Pursuing The Most MALICIOS CYBER ACTORS, WEHEREVER ARE GEREVER AKEREVER AKEREVER ACE
The doj has also unseled indictments against 16 individuals associateed with danabot, notable am two russian individuals named as aleksandr 'Jimmbee' Stepanov, 39, and Aleksandrovish 'Onix' Kalinkin, 34, both of novosibirsk, siberia's largest city.
Stepanov is being charged with conspiracy, conspiracy to commit wire fraud and bank fraud, aggravated identity theft, unauthorized access to a protected computer to obtain information, unauthorize Impairment of a protected computer, wiretapping and use of an intercepted communication. Kalinkin is charged with conspiracy to Gain unauthorized access to a computer to obtain information, to Gain unauthorized access to a computer to defraud and to commit unauthorise images Computer.
As is usual in such indictments, beCause bot individuals are located in russia, giving the current geopolitical fractures between russia and the west, it is highly unlike Unless they travel to a jurisdiction that will extradite to the us.
What Did Danabot Do?
Spread by spam emails containing malicious attachments and hyperlinks, the danabot malware coopted its Victims' Machines Into Compromised botnets That was used by its controllers to steal data including history, device information, stored credentials and the contents of virtual crypto wallets. It was also also to Hijack Online Banking Sessions, all without its Victims 'Knowledge'.
Additional to this, danabot could also provide users – who boght access to it through a standard Malware-AA-Service (Maas) Business Model – With full remote access to computers to record keystrokes take videos via webcam, and as an aid in the spread of ransomware.
Notably, its admins run a second version of the danabot botnet that targeted diplomatic, government and Military Bodies in North America and Europe. This botnet used different servers to those use by their common-garden fraudster customers.
Proofpoint Staff Threat Researcher Selena Larson, Who Participated In the Takedown, said: “The disruptic of danabot is a fantastic win for defenders, and will have an impact on the cyber crimst Criminal disrupts and law enforcement actions not only impair malware functionality and use, but also also impose cost to threats by forcing them to change their tactics, Cause Mistrust in the Criminal Ecosystem and potentially make criminals think about finding a different career.
“These successes against cyber criminals only come about when business it teams and security service providers share much-needed insight into the biggest thoughts to Socies, Affecting the Great Number of people Around the world, which law enforcement can use to track down the servers, infrastructure and criminal organisations behind the attacks.
“Private and public sector collaboration is crucial to knowledge how actors operate and taking action against them. When posesible and appropriate to do so, proofpoint leverages its kNOWEDGE and PROFOINT LEVERGES Technical SkillSet to Help Protect a Wider Audience and the Internet Community and Defend Against Widespread Malware Threats, “said Larson.
More Trouble for Qakbot
Also last week, a federal indictment unseled by the doj levels charges against one rustam rafailvich galllyamov, 48, of moscow, accusing heam of being the mastermind before Deployed and Ran Qakbot, a far older malware but also with origins in the world of banking trojans, Which was taken down in a 2023 operation,
In connection with the charges, the doj has also filed a civil forfeitor Complaint against $ 24m in Crypto Assets Seized From Gallyamov – Including $ 4m Seized During the 2023 TAKEDON – WOS will seek to return to victims if possible.
Qakbot was at one time the bête noire of many a cyber security professional. Sold throwing a maas model like danabot, it was frequently used as a staging post by ransomware gangs, including some of the more notorious crews of the past 10 years such as black basta, Doppelpaymer, Egregor and Revil. These gangs allegedly paid gallyamov a portion of any ransoms they received.
The indictment also alleges that following the takedown of Qakbot, Gallyamov and His Co-Conspirators Continued their work But Pivoted to a different set of techniques. Rather than using a botnet, they turned to so-called spam bomb attacks on Victims, in which email inboxes at targeted companies are overwhelmed with Junk Email to TRACKKIing.
Gallyamov was supposedly conducting such A Black Basta Ransomware AffiliateAccording to the doj.
Support in the Qakbot Investigation was provided by agencies in france, Germany and the Netherlands, with the European Union's Europol also involved.