ESET Research<p>The <a href="https://infosec.exchange/tags/FBI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FBI</span></a> and <a href="https://infosec.exchange/tags/DCIS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DCIS</span></a> disrupted <a href="https://infosec.exchange/tags/Danabot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Danabot</span></a>. <a href="https://infosec.exchange/tags/ESET" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ESET</span></a> was one of several companies that cooperated in this effort. <a href="https://www.welivesecurity.com/en/eset-research/danabot-analyzing-fallen-empire/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">welivesecurity.com/en/eset-res</span><span class="invisible">earch/danabot-analyzing-fallen-empire/</span></a><br><a href="https://infosec.exchange/tags/ESETresearch" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ESETresearch</span></a> has been involved in this operation since 2018. Our contribution included providing technical analyses of the malware and its backend infrastructure, as well as identifying Danabot’s C&amp;C servers. Danabot is a <a href="https://infosec.exchange/tags/MaaS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MaaS</span></a> <a href="https://infosec.exchange/tags/infostealer" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infostealer</span></a> that has also been seen pushing additional malware – even <a href="https://infosec.exchange/tags/ransomware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ransomware</span></a>, such as <a href="https://infosec.exchange/tags/LockBit" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>LockBit</span></a>, <a href="https://infosec.exchange/tags/Buran" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Buran</span></a>, and <a href="https://infosec.exchange/tags/Crisis" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Crisis</span></a> – to compromised systems. <br>We have analyzed Danabot campaigns all around the world and found a substantial number of distinct samples of the malware, as well as identified more than 1,000 C&amp;Cs. <br>This infostealer is frequently promoted on underground forums. The affiliates are offered an administration panel application, a backconnect tool for real-time control of bots, and a proxy server application that relays the communication between the bots and the C&amp;C server. <br>IoCs are available in our GitHub repo. You can expect updates with more details in the coming days. <a href="https://github.com/eset/malware-ioc/tree/master/danabot" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/eset/malware-ioc/tr</span><span class="invisible">ee/master/danabot</span></a></p>