Full Report
ESET Research shares its findings on the workings of Danabot, an infostealer recently disrupted in a multinational law enforcement operation
Analysis Summary
# Incident Report: Disruption of Danabot Infrastructure (Operation Endgame)
## Executive Summary
This "incident" details the successful, long-term international disruption and dismantling of the Danabot malware-as-a-service (MaaS) infrastructure, orchestrated through **Operation Endgame**. Danabot, active since at least 2018, functioned as an infostealer and banking trojan capable of deploying secondary malware like ransomware. The operation, involving numerous law enforcement agencies and cybersecurity firms including ESET, resulted in the identification of key administrators and the takedown of critical Command and Control (C&C) servers, significantly disrupting affiliate operations globally.
## Incident Details
- **Discovery Date:** Ongoing analysis since 2018 (Initial ESET involvement).
- **Incident Date:** Operations ongoing since initial campaign prominence in 2018. This report summarizes disruption/takedown efforts culminating around the execution of Operation Endgame.
- **Affected Organization:** Various global organizations targeted by Danabot affiliates (Specific victims not detailed in this source).
- **Sector:** Cross-sector (Banking/Financial focused, but used for general data theft and DDoS).
- **Geography:** Global, with historical reporting highlighting high activity in Australia and Poland.
## Timeline of Events
### Initial Access
- **Date/Time:** Since 2018 (Ongoing campaign launch by affiliates).
- **Vector:** Primarily distributed via spam campaigns targeting specific geographies (e.g., Australia initially).
- **Details:** Affiliates obtained custom Danabot builds (generated from the MaaS platform) and distributed them through their own malicious campaigns.
### Lateral Movement
- The report does not detail specific lateral movement techniques for Danabot itself, but the toolset offered to affiliates likely enables post-compromise activities necessary for data collection.
### Data Exfiltration/Impact
- **Impact:** Data exfiltration (sensitive data, banking credentials), additional malware delivery (including ransomware), and malicious behavior such as launching DDoS attacks against critical infrastructure (e.g., Ukraine's Ministry of Defense).
### Detection & Response
- **Detection:** Long-term tracking by ESET researchers starting in 2018, identifying over 1,000 unique C&C servers.
- **Response Actions:** Coordinated international effort under Operation Endgame (led by Europol/Eurojust), involving FBI, DCIS, and private sector partners. This effort focused on technical analysis, identifying C&C infrastructure, and identifying the developers/administrators (e.g., JimmBee and Onix). The response culminated in the disruption of the command and control network.
## Attack Methodology
- **Initial Access:** Distribution of custom-generated Danabot builds by affiliates.
- **Persistence:** Not explicitly detailed, but implied through the nature of a successful malware operation.
- **Privilege Escalation:** Not explicitly detailed.
- **Defense Evasion:** Use of sophisticated C&C communication methods (Encryption, Obfuscation, Multi-hop Proxy).
- **Credential Access:** Infostealer and banking trojan capabilities (Implied ability to harvest credentials).
- **Discovery:** Implied capability for system reconnaissance.
- **Lateral Movement:** Toolset includes a backconnect tool for real-time control of bots.
- **Collection:** Automated exfiltration configuration, screen capture, and video capture capabilities.
- **Exfiltration:** Exfiltration over the C2 channel; transfers can be limited by size.
- **Impact:** Data theft, secondary malware deployment (Ransomware module), and DDoS resource utilization.
## Impact Assessment
- **Financial:** Unknown, but implicated in cost associated with data theft and remediation for victims of affiliates. Potential operational costs for law enforcement/security vendors involved in Operation Endgame.
- **Data Breach:** Exfiltration of sensitive data (banking credentials implied).
- **Operational:** Demonstrated capability to launch focused DDoS attacks against high-value targets (e.g., Ministry of Defense).
- **Reputational:** Impact on affiliates' reputation among criminal underground due to the massive coordinated takedown effort.
## Indicators of Compromise
*Note: Since the report details the disruption, technical IoCs are contextual rather than active targets.*
- **Network indicators:** C&C communications utilized custom TCP protocols, RSA and AES-256 encryption, Zlib/ZIP compression, junk data obfuscation. Fallback communications via Tor were documented.
- **File indicators:** N/A (Specific hashes not provided).
- **Behavioral indicators:** Execution of screen/video capture modules; utilization of systems for DDoS attacks against political/military targets.
## Response Actions
- **Containment:** Takedown of C&C infrastructure identified through joint efforts, severely limiting the ability of affiliates to control existing bots.
- **Eradication:** Identification and targeting of key developers/administrators overseeing the MaaS platform.
- **Recovery:** Relief for potential victims as the ability to deploy future Danabot versions is severely curtailed.
## Lessons Learned
- **Key takeaways:** Long-term, industry-wide collaboration (as seen in Operation Endgame) is essential to dismantle sophisticated, evolving MaaS operations like Danabot.
- **What could have been done better:** ESET has been tracking since 2018, suggesting that faster, more unified international law enforcement action in the early stages could have reduced the overall compromise window.
## Recommendations
- **Prevention measures for similar incidents:** Maintain robust threat intelligence sharing pipelines between private vendors and law enforcement. Enhance EDR/visibility to detect precursor activities related to banking trojan activity and secondary malware deployment (like ransomware staging). Implement controls to monitor for non-standard custom TCP traffic and complex C&C communication patterns.