The U.S. authorities have today revealed criminal accusations against 16 individuals charged with managing and distributing DanaBot, a widespread variant of information-stealing malware that has been advertised on Russian cybercrime platforms since 2018. According to the FBI, a recent iteration of DanaBot was utilized for espionage, and many of the accused inadvertently disclosed their true identities after infecting their own devices with the malware.

First identified in May 2018 by experts at the email security organization Proofpoint, DanaBot serves as a malware-as-a-service platform focusing on credential theft and banking scams.

Today, the U.S. Department of Justice released a criminal allegation and accusation from 2022, indicating that the FBI recognized at least 40 associates who were paying between $3,000 and $4,000 monthly for access to the information-stealing platform.

The authorities assert that the malware compromised over 300,000 systems worldwide, leading to estimated damages exceeding $50 million. The masterminds behind the DanaBot operation are identified as Aleksandr Stepanov, 39, also known as “JimmBee,” and Artem Aleksandrovich Kalinkin, 34, referred to as “Onix,” both hailing from Novosibirsk, Russia. Kalinkin holds a position as an IT engineer for the Russian state-owned energy conglomerate Gazprom, with his Facebook profile name being “Maffiozi.”

The FBI stated there were at least two significant iterations of DanaBot; the first was sold from 2018 until June 2020, when the malware ceased being available on Russian cybercrime forums. The government claims that the second version of DanaBot — surfacing in January 2021 — was made available to collaborators for targeting military, diplomatic, and NGO computers across several nations, including the United States, Belarus, the United Kingdom, Germany, and Russia.

“Uncharged co-conspirators utilized the Espionage Variant to compromise computers globally and extract sensitive diplomatic communications, access credentials, and other information from these targeted victims,” states a grand jury indictment dated September 20, 2022. “This extracted information included financial operations conducted by diplomatic staff, correspondence related to daily diplomatic interactions, along with summaries of a specific nation’s dealings with the United States.”

The indictment notes that the FBI, in 2022, confiscated servers employed by the DanaBot creators to manage their malware, in addition to the servers that stored information acquired from victims. The government reported that these server records also exhibit numerous situations in which the DanaBot defendants infected their own computers, leading to their credential information being uploaded to stolen data collections seized by the authorities.

“In several instances, such self-infections appeared to be intentional, aimed at testing, assessing, or enhancing the malware,” remarks the criminal complaint. “In other incidents, the infections appeared to be accidental — one of the risks of engaging in cybercrime is that perpetrators occasionally infect themselves with their own malware unintentionally.”

A release from the DOJ indicates that as part of today’s operation, agents from the Defense Criminal Investigative Service (DCIS) seized the DanaBot control servers, including several virtual servers hosted within the United States. The government mentions it is currently collaborating with industry partners to inform DanaBot victims and assist with infection remediation. The statement acknowledges various security firms for their help, including ESET, Flashpoint, Google, Intel 471, Lumen, PayPal, Proofpoint, Team CYRMU, and ZScaler.

It’s not unusual for financially-driven malicious software to be adapted for espionage purposes. A variant of the ZeuS Trojan, which was utilized in numerous online banking assaults against firms in the United States and Europe between 2007 and at least 2015, was at one time redirected for espionage activities by its creator.

As elaborated in this 2015 article, the creator of the ZeuS Trojan developed a tailored version of the malware specifically for surveillance, which searched infected devices in Ukraine for specific keywords in emails and documents likely found in classified materials.

The public charging of the 16 DanaBot defendants occurs just a day after Microsoft joined a host of technology firms in disrupting the IT framework for another malware-as-a-service offering — Lumma Stealer, which is similarly offered to affiliates with tiered subscription prices ranging from $250 to $1,000 monthly. Separately, Microsoft initiated a civil lawsuit to seize control of 2,300 domain names utilized by Lumma Stealer and its associates.

Additional reading:

DanaBot: Examining a Fallen Empire

ZScaler blog: DanaBot Initiates DDoS Assault Against the Ukrainian Ministry of Defense

Flashpoint: Operation Endgame DanaBot Malware

March 2022 Criminal Complaint v. Artem Aleksandrovich Kalinkin

September 2022 Grand Jury Indictment Naming the 16 Defendants