Danabot: Analyzing a Fallen Empire
Summary:
Under the international cybercrime operation known as Operation Endgame, the FBI and the U.S. Department of Defense’s Defense Criminal Investigative Service, in coordination with Europol and Eurojust, successfully dismantled the infrastructure behind Danabot, a long-running malware-as-a-service platform. Active since 2018, Danabot evolved from a banking trojan into a multifaceted threat capable of credential theft, remote access, and malware deployment, including ransomware. The takedown was supported by ESET, Amazon, CrowdStrike, Google, and law enforcement from Germany, the Netherlands, and Australia. ESET contributed by analyzing malware samples, mapping Danabot’s infrastructure, and identifying command-and-control servers.
Danabot was operated by a central group who rented out their toolset to affiliates. These affiliates managed their own botnets using a comprehensive toolkit that included a C&C server, an administration panel, a backconnect utility, and a proxy server. The malware was primarily distributed through email spam, malicious loaders like Smokeloader and Matanbuchus, and deceptive ads and websites, including fake software pages and phishing scams.
Danabot featured capabilities such as data theft from browsers and applications, keylogging, screen recording, web injects, and the ability to execute arbitrary payloads, including ransomware like LockBit and Buran. It also supported DDoS modules, occasionally used for politically motivated attacks. Affiliates could generate customized builds through a configuration interface, while Danabot’s backend communications were encrypted using AES and RSA protocols.
Security Officer Comments:
Over the years, ESET observed over 1,000 unique C&C servers and multiple campaign variants, with Poland being one of the most targeted countries. The infrastructure shifted from a centralized model to offering private servers to affiliates, further decentralizing control. The malware’s administration panel enabled detailed botnet management, data export, and configuration of new builds and payloads. Notably, Danabot also included bugs in its packet padding that inadvertently leaked server memory, providing researchers with additional insights. Despite the infrastructure disruption, the future of Danabot remains uncertain. The takedown dealt a significant blow by identifying and exposing key individuals behind the operation, though the potential for recovery persists given the malware’s complexity and widespread use
Suggested Corrections:
ESET Researchers have published IOCs that can be used to detect and defend against Danabot:
https://www.welivesecurity.com/en/eset-research/danabot-analyzing-fallen-empire/
Users should be wary of IoT devices that lack traditional security features. Many IoT devices do not have multi-factor authentication or even the ability to change default usernames and passwords. Cybercriminal will continue to target the ever growing IoT device market.
If IoT devices must be used, users should consider segmenting them from sensitive networks.
Once a device has been compromised by a botnet, users may notice slow or sluggish systems and/or unusual traffic on the network.
Link(s):
https://www.welivesecurity.com/en/eset-research/danabot-analyzing-fallen-empire/
Under the international cybercrime operation known as Operation Endgame, the FBI and the U.S. Department of Defense’s Defense Criminal Investigative Service, in coordination with Europol and Eurojust, successfully dismantled the infrastructure behind Danabot, a long-running malware-as-a-service platform. Active since 2018, Danabot evolved from a banking trojan into a multifaceted threat capable of credential theft, remote access, and malware deployment, including ransomware. The takedown was supported by ESET, Amazon, CrowdStrike, Google, and law enforcement from Germany, the Netherlands, and Australia. ESET contributed by analyzing malware samples, mapping Danabot’s infrastructure, and identifying command-and-control servers.
Danabot was operated by a central group who rented out their toolset to affiliates. These affiliates managed their own botnets using a comprehensive toolkit that included a C&C server, an administration panel, a backconnect utility, and a proxy server. The malware was primarily distributed through email spam, malicious loaders like Smokeloader and Matanbuchus, and deceptive ads and websites, including fake software pages and phishing scams.
Danabot featured capabilities such as data theft from browsers and applications, keylogging, screen recording, web injects, and the ability to execute arbitrary payloads, including ransomware like LockBit and Buran. It also supported DDoS modules, occasionally used for politically motivated attacks. Affiliates could generate customized builds through a configuration interface, while Danabot’s backend communications were encrypted using AES and RSA protocols.
Security Officer Comments:
Over the years, ESET observed over 1,000 unique C&C servers and multiple campaign variants, with Poland being one of the most targeted countries. The infrastructure shifted from a centralized model to offering private servers to affiliates, further decentralizing control. The malware’s administration panel enabled detailed botnet management, data export, and configuration of new builds and payloads. Notably, Danabot also included bugs in its packet padding that inadvertently leaked server memory, providing researchers with additional insights. Despite the infrastructure disruption, the future of Danabot remains uncertain. The takedown dealt a significant blow by identifying and exposing key individuals behind the operation, though the potential for recovery persists given the malware’s complexity and widespread use
Suggested Corrections:
ESET Researchers have published IOCs that can be used to detect and defend against Danabot:
https://www.welivesecurity.com/en/eset-research/danabot-analyzing-fallen-empire/
Users should be wary of IoT devices that lack traditional security features. Many IoT devices do not have multi-factor authentication or even the ability to change default usernames and passwords. Cybercriminal will continue to target the ever growing IoT device market.
If IoT devices must be used, users should consider segmenting them from sensitive networks.
Once a device has been compromised by a botnet, users may notice slow or sluggish systems and/or unusual traffic on the network.
Link(s):
https://www.welivesecurity.com/en/eset-research/danabot-analyzing-fallen-empire/