International law enforcement agencies have taken additional actions in Operation Endgame, targeting cybercriminal organizations, particularly those behind DanaBot. DanaBot is a powerful modular malware family written in Delphi, capable of keylogging, capturing screenshots, recording desktop videos, exfiltrating files, injecting content into web browsers, and deploying second-stage malware. It operates as a Malware-as-a-Service platform, enabling various attacks. DanaBot has been used in targeted attacks against government officials in the Middle East and Eastern Europe, and for DDoS attacks against Ukrainian servers. The malware implements a custom binary protocol encrypted with RSA and AES, and uses hardcoded C2 servers with Tor as a backup communication channel. Over 50 nicknames have been associated with DanaBot affiliates. Author: AlienVault
Related Tags:
GlobeImposter
Danabot
HijackLoader
Cactus
targeted attacks
SmokeLoader
DDoS
espionage
T1185
Associated Indicators:
E2C228D0BF460F25B39DD60F871F59EA5EF671B8A2F4879D09ABAE7A9D4D49FB
75FF0334D46F9B7737E95AC1EDCC79D956417B056154C23FAD8480EC0829B079
2F8E0FC38EAF08A69653F40867DCD4CC951A10CD92B8168898B9AA45BA18A5C8
7BC53DBD360A132705A964E39A598E036F6627EE
6EA28C3B21708F487DD1A798605FE9DE63CFE47B
0942AF7805AF433BC395EA765EBDB3DC
0D9F7DAEFCAEA9E1E49EDD921D6970B1
y3wg3owz34ybihfulzr4blznkb6g6zf2eeuffhqrdvwdp43xszjknwad.onion