The DanaBot malware has returned with a brand new model noticed in assaults, six-months after regulation enforcement’s Operation Endgame disrupted its exercise in Might.
In line with safety researchers at Zscaler ThreatLabz, there’s a new variant of DanaBot, model 669, that has a command-and-control (C2) infrastructure utilizing Tor domains (.onion) and “backconnect” nodes.
Zscaler additionally recognized and listed a number of cryptocurrency addresses that risk actors are utilizing to obtain stolen funds, in BTC, ETH, LTC, and TRX.
DanaBot was first disclosed by Proofpoint researchers as a Delphi-based banking trojan delivered by way of e-mail and malvertising.
It operated below a malware-as-a-service (MaaS) mannequin, being rented to cybercriminals for a subscription price.
Within the years that adopted, the malware developed right into a modular data stealer and loader, focusing on credentials and cryptocurrency pockets information saved in internet browsers.
The malware was utilized in quite a few campaigns, a few of which had been large-scale, and reappeared often from 2021 onward, remaining a gradual risk to web customers.
In Might this yr, a global regulation enforcement effort codenamed ‘Operation Endgame’ disrupted Danabot’s infrastructure and introduced indictments and seizures, which considerably degraded its operations.
Nevertheless, in response to Zscaler, Danabot is once more energetic, with a rebuilt infrastructure. Whereas the Danabot operation was down, many preliminary entry brokers (IAB) pivoted to different malware.
DanaBot resurfacing reveals that cybercriminals are resilient of their exercise so long as there’s a monetary incentive, regardless of a multi-month disruption, particularly when core operators aren’t arrested.
Typical preliminary entry strategies noticed in DanaBot infections embrace malicious emails (by way of hyperlinks or attachments), search engine optimisation poisoning, and malvertising campaigns, a few of which led to ransomware.
Organizations can defend towards DanaBot assaults by including to their blocklists the brand new indicators of compromise (IoCs) from Zscaler and by updating their safety instruments.
As MCP (Mannequin Context Protocol) turns into the usual for connecting LLMs to instruments and information, safety groups are shifting quick to maintain these new providers secure.
This free cheat sheet outlines 7 finest practices you can begin utilizing as we speak.
