Previous to the current takedown effort focusing on the DanaBot botnet, cybersecurity researchers exploited a vulnerability within the risk’s command and management (C&C) servers to acquire worthwhile info.
The DanaBot malware-as-a-service platform has been round since 2018. Its operators have offered entry to different cybercriminals, who leveraged it for stealing info, and in some instances DDoS assaults.
The DanaBot botnet, which ensnared over 300,000 gadgets and precipitated greater than $50 million in damages, was focused in a global regulation enforcement operation in Could. A whole lot of servers and domains have been seized and over a dozen people have been charged.
Following the regulation enforcement operation, it got here to gentle that DanaBot C&C servers have been impacted by a vulnerability that precipitated a reminiscence leak. The flaw, which existed between June 2022 and early 2025, has been dubbed DanaBleed by safety agency Zscaler attributable to its similarity with the infamous Heartbleed vulnerability.
DanaBleed is expounded to the customized binary C&C protocol utilized by DanaBot. A change launched in June 2022 precipitated the C&C server to leak course of reminiscence snippets in responses to contaminated gadgets.
“The reminiscence leak allowed as much as 1,792 bytes per C&C server response to be uncovered. The content material of the leaked knowledge was arbitrary and trusted the code being executed and the info being manipulated within the C&C server course of at a given time,” Zscaler defined.
Regardless of these limitations, the safety agency’s researchers managed to acquire what they described as “significant insights into DanaBot” from the reminiscence leaks collected over a interval of practically three years.
The researchers extracted worthwhile insights into DanaBot infrastructure and processes, in addition to the risk actors behind the botnet. Commercial. Scroll to proceed studying.
The leaked knowledge included risk actor usernames and IP addresses, backend C&C server IPs and domains, malware an infection and exfiltration statistics, malware model updates, and personal cryptographic keys. The leaks additionally contained sufferer knowledge, corresponding to IPs, credentials, and exfiltrated knowledge.
“The leaked info revealed every part from backend server knowledge, debugging logs, SQL statements, and cryptographic key materials to delicate sufferer knowledge and components of the C2 server’s net interface,” Zscaler mentioned.
DanaBot was severely disrupted by the current regulation enforcement motion, however Zscaler believes it’s too quickly to find out the long-term influence on the botnet.
Associated: Mirai Botnets Exploiting Wazuh Safety Platform Vulnerability
Associated: Chinese language Espionage Crews Circle SentinelOne in Yr-Lengthy Reconnaissance Marketing campaign
Associated: Damaging ‘PathWiper’ Concentrating on Ukraine’s Important Infrastructure
