16 Charged in Connection with Russian DanaBot Malware Attacks

The US has charged 16 people allegedly responsible for developing and deploying the DanaBot botnet operated from Russia.

The defendants include Aleksandr Stepanov, 39, a.k.a. “JimmBee,” and Artem Aleksandrovich Kalinkin, 34, a.k.a. “Onix,” both of Novosibirsk, Russia.

Along with more than a dozen others, they are charged with developing, deploying, and infecting more than 300,000 victim computers around the world, facilitating fraud and ransomware, and inflicting at least $50 million in damage.

Malware-as-a-service

According to the indictment, DanaBot operators used various attack avenues to infect victim computers, including spam email messages with malicious attachments or hyperlinks.

Victims infected with DanaBot malware became part of a network of compromised computers, known in infosec as a “botnet,” which enabled the operators to coordinate their remote control of the infected endpoints.

The malware-as-a-service model allowed client co-conspirators to “lease” access to the botnet and support tools, with fees reaching several thousand dollars a month.

Clients used DanaBot to steal data, including device information, user browsing histories, stored account credentials, and virtual currency wallet information, as well as to hijack banking sessions.

The malware also offered full remote access to record keystrokes and capture video showing people’s on-screen activity.

DanaBot has also been used as an initial means of infection for other forms of malware, including ransomware, according to the US Department of Justice.

Notably, according to the indictment, a separate version of the DanaBot malware was used to target individuals in military, diplomatic, government, and related entities.

"This version of the botnet recorded all interactions with the computer and sent stolen data to a different server than the fraud-oriented version of DanaBot,” according to the DOJ. “This variant was allegedly used to target diplomats, law enforcement personnel, and members of the military in North America, and Europe."

"Pervasive malware like DanaBot harms hundreds of thousands of victims around the world, including sensitive military, diplomatic, and government entities, and causes many millions of dollars in losses," said Bill Essayli, US Attorney for the Central District of California. "The charges and actions announced today demonstrate our commitment to eradicating the largest threats to global cybersecurity and pursuing the most malicious cyber actors, wherever they are located."

Decades behind bars

An indictment is merely an allegation, meaning all defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

Kalinkin is charged with conspiracy to gain unauthorized access to a computer to obtain information, to gain unauthorized access to a computer to defraud, and to commit unauthorized impairment of a protected computer.

Both Kalinkin and Stepanov are believed to be in Russia and are not yet in custody.

If convicted, Kalinkin would face a statutory maximum sentence of 72 years in federal prison, and Stepanov would face a maximum of five years.

As part of the operation to shutter the DanaBot command and control servers, Defense Criminal Investigative Service (DCIS) agents seized and took down dozens of virtual servers hosted in the United States.

According to the DOJ, the US government is now working with partners to notify DanaBot victims and help remediate infections.

Not everyone is a target for hackers – less so for organized cybercrime – but it’s always a good idea to protect your devices with a security solution capable of sniffing out and blocking inbound malware before it’s too late.

You may also want to read:

Seventh LockBit Ransomware Mastermind Extradited to Face Charges

£3 Million Fine for a Victim of LockBit Ransomware

Watch Out for ‘FBI Agents’ Offering to Recover Your Stolen Funds