US law enforcement has dismantled the global infrastructure of the DanaBot malware, which was operated under the control of a Russian cybercrime group. The 16 suspects in the case, including two Russians from Novosibirsk, are suspected of large-scale attacks on users around the world.
US law enforcement has dismantled the global infrastructure of the DanaBot malware, which was operated under the control of a Russian cybercrime group. The 16 suspects in the case, including two Russians from Novosibirsk, are suspected of large-scale attacks on users around the world.
The US Department of Justice announced on May 16 a large-scale special operation to destroy the digital infrastructure of DanaBot, a malware also known as DanaTools. According to the US Department of Justice, the attackers used this tool for financial fraud, espionage, identity theft and the distribution of ransomware.
DanaBot was first discovered in 2018. It was actively distributed through spam campaigns with attachments containing macros. The software was distinguished by its modular architecture, which allowed its functionality to be expanded depending on the attack targets. Over time, DanaBot became popular among cybercriminals thanks to the “malware-as-a-service” model, which made it possible to rent it to other hacking groups.
In total, according to the agency, DanaBot infected more than 300,000 devices worldwide and caused at least $50 million in damage. 16 people were involved in the trial, including two — Alexander Stepanov (JimmBee, 39 years old) and Artem Kalinkin (Onix, 34 years old) — who are currently hiding in Russia.
Both are charged with conspiracy to hack computer systems, bank fraud, identity theft, and unauthorized interference with the operation of protected devices. Stepanov is also charged with wiretapping and illegal use of intercepted communications.
The investigation was particularly interested in the fact that some suspects accidentally infected their own computers with DanaBot, thereby exposing their identities. The case file states: "In some cases, self-infection was intentional - for testing or improving the software. In others, it was the result of carelessness: cybercriminals often infect themselves."
We also recently reported on hackers who have been distributing a malicious version of KeePass for at least eight months. It installs Cobalt Strike, steals passwords, and adds programs that harm the device.
