Feed: Slashdot
Feed Link: https://slashdot.org/
---

Title: DanaBot Malware Devs Infected Their Own PCs

Link: https://it.slashdot.org/story/25/05/22/235221...

The U.S. unsealed charges against 16 individuals behind DanaBot, a malware-as-
a-service platform responsible for over $50 million in global losses. "The
FBI says a newer version of DanaBot was used for espionage, and that many of
the defendants exposed their real-life identities after accidentally
infecting their own systems with the malware," reports KrebsOnSecurity. From
the report: Initially spotted in May 2018 by researchers at the email
security firm Proofpoint, DanaBot is a malware-as-a-service platform that
specializes in credential theft and banking fraud. Today, the U.S. Department
of Justice unsealed a criminal complaint and indictment from 2022, which said
the FBI identified at least 40 affiliates who were paying between $3,000 and
$4,000 a month for access to the information stealer platform. The government
says the malware infected more than 300,000 systems globally, causing
estimated losses of more than $50 million. The ringleaders of the DanaBot
conspiracy are named as Aleksandr Stepanov, 39, a.k.a. "JimmBee," and Artem
Aleksandrovich Kalinkin, 34, a.k.a. "Onix," both of Novosibirsk, Russia.
Kalinkin is an IT engineer for the Russian state-owned energy giant Gazprom.
His Facebook profile name is "Maffiozi." According to the FBI, there were at
least two major versions of DanaBot; the first was sold between 2018 and June
2020, when the malware stopped being offered on Russian cybercrime forums.
The government alleges that the second version of DanaBot -- emerging in
January 2021 -- was provided to co-conspirators for use in targeting
military, diplomatic and non-governmental organization computers in several
countries, including the United States, Belarus, the United Kingdom, Germany,
and Russia. The indictment says the FBI in 2022 seized servers used by the
DanaBot authors to control their malware, as well as the servers that stored
stolen victim data. The government said the server data also show numerous
instances in which the DanaBot defendants infected their own PCs, resulting
in their credential data being uploaded to stolen data repositories that were
seized by the feds. "In some cases, such self-infections appeared to be
deliberately done in order to test, analyze, or improve the malware," the
criminal complaint reads. "In other cases, the infections seemed to be
inadvertent -- one of the hazards of committing cybercrime is that criminals
will sometimes infect themselves with their own malware by mistake." A
statement from the DOJ says that as part of today's operation, agents with
the Defense Criminal Investigative Service (DCIS) seized the DanaBot control
servers, including dozens of virtual servers hosted in the United States. The
government says it is now working with industry partners to notify DanaBot
victims and help remediate infections. The statement credits a number of
security firms with providing assistance to the government, including ESET,
Flashpoint, Google, Intel 471, Lumen, PayPal, Proofpoint, Team CYRMU, and
ZScaler.

Read more of this story at Slashdot.

---
VRSS v2.1.180528