A vulnerability within the DanaBot malware operation launched in June 2022 replace led to the identification, indictment, and dismantling of their operations in a latest legislation enforcement motion.
DanaBot is a malware-as-a-service (MaaS) platform energetic from 2018 by way of 2025, used for banking fraud, credential theft, distant entry, and distributed denial of service (DDoS) assaults.
Zscaler’s ThreatLabz researchers who found the vulnerabilitydubbed ‘DanaBleed,’ clarify {that a} reminiscence leak allowed them to realize a deep peak into the malware’s inner operations and the folks behind it.
Leveraging the flaw to gather precious intelligence on the cybercriminals enabled a world legislation enforcement motion named ‘Operation Endgame’ to take DanaBot infrastructure offline and indict 16 members of the risk group.
DanaBleed
The DanaBleed flaw was launched in June 2022 with DataBot model 2380, which added a brand new command and management (C2) protocol.
A weak spot within the new protocol’s logic was within the mechanism that generated the C2 server’s responses to purchasers, which was supposed to incorporate randomly generated padding bytes however did not initialize newly allotted reminiscence for these.
Zscaler researchers collected and analyzed a lot of C2 responses that, because of the reminiscence leak bug, contained leftover information fragments from the server’s reminiscence.
This publicity is analogous to the Heartbleed drawback found in 2014, impacting the ever present OpenSSL software program.
Because of DanaBleed, a broad array of personal information was uncovered to the researchers over time, together with:
Risk actor particulars (usernames, IP addresses)
Backend infrastructure (C2 server IPs/domains)
Sufferer information (IP addresses, credentials, exfiltrated information)
Malware changelogs
Personal cryptographic keys
SQL queries and debug logs
HTML and net interface snippets from the C2 dashboard
For over three years, DanaBot operated in a compromised mode with out its builders or purchasers ever realizing they have been being uncovered to safety researchers.
This allowed focused legislation enforcement motion when sufficient information had been collected.
Leaked HTML information on the C2 server responses
Supply: Zscaler
Though DanaBot’s core workforce in Russia was merely indicted and never arrested, the seizure of crucial C2 servers, 650 domains, and practically $4,000,000 in cryptocurrency has successfully neutralized the risk for now.
It isn’t unlikely that the risk actors try and return to cybercrime operations sooner or later, however lowered belief from the hackers’ group might be a big impediment for them.
Patching used to imply complicated scripts, lengthy hours, and limitless fireplace drills. Not anymore.
On this new information, Tines breaks down how fashionable IT orgs are leveling up with automation. Patch quicker, scale back overhead, and deal with strategic work — no complicated scripts required.
