A bug in a June 2022 update was the beginning of the end for DanaBot, one of the most notorious banking malware programs. That flaw in its infrastructure allowed researchers to track down its operators, leading to an international raid that dismantled its operations and left 16 people charged.
DanaBot had been active since 2018 and functioned as a kind of “malware as a service” (MaaS). What does that mean? Basically, any cybercriminal could rent it to do things like steal credentials, commit bank fraud, take remote control of computers, or launch DDoS attacks (those that take down websites by saturating them with traffic).
The key discovery was made by researchers at ThreatLabz. They found a vulnerability they dubbed DanaBleed, a kind of memory leak that opened a direct window into everything that was going on behind the scenes of the malware: how it operated, what modules it used, and, most importantly, who was behind it.
Thanks to this information leak, Operation Endgame was launched, an international police effort that succeeded in shutting down DanaBot's servers and bringing several of those responsible to justice.
What was DanaBleed?
It all started in June 2022, when DanaBot released version 2380 and included a new command and control (C2) protocol. What its developers didn't know was that with that update, they also made a mistake (and a serious one at that).
The problem, which would later become known as DanaBleed, was in the way the C2 server responded to infected bots. The responses were supposed to include some randomly generated “filler” bytes, but there was one critical detail: the system did not properly clean the memory before using it. In other words, old data remained there, as if you copied a new file over an old one without deleting anything.
Zscaler researchers, who were on the lookout, began collecting these responses from the server. Thanks to the bug, they were able to see “leftovers” in the memory that should never have been there. Sound familiar? It's similar to HeartBleed, the famous 2014 flaw in OpenSSL that also leaked sensitive information without anyone noticing.
What information was exposed?
For more than three years, DanaBot continued to operate as if nothing had happened, while its system leaked data like a sieve. The incredible thing is that neither the programmers nor the cybercriminals using the platform noticed.
And what data did the researchers manage to collect? A little bit of everything:
-
Information about the attackers themselves: usernames, IP addresses, and other traces they left behind by mistake.
-
The entire C2 infrastructure: IP addresses, domains, and servers they used to communicate with the bots.
-
Victim data: IP addresses, stolen credentials, and everything they exfiltrated from the infected system.
-
Internal malware logs, such as code changes or new versions.
-
Private keys they used to encrypt their communications (something very sensitive).
-
SQL queries and debug logs showing how their servers operated.
-
HTML code snippets and even parts of the web interface that operators used to manage the malware from their dashboards.
Read more: FIN6 Hackers Pose as Job Applicants to Target Recruiters
Why was this so important?
This error allowed investigators to observe everything from the inside, as if they had left a window open to the attackers' command center. It wasn't just a momentary glimpse: it was a sustained leak lasting more than three years.
And thanks to all that information, authorities were able to act with precision. Once they had enough evidence, an international police operation was launched that completely shut down the DanaBot infrastructure and brought charges against those involved.
HTML data filtered in C2 server responses (Source: Zscaler)
Although the core of the DanaBot team, located in Russia, was not arrested but only formally charged, the blow they received was severe: authorities confiscated key C2 servers, more than 650 domains, and nearly $4 million in cryptocurrency. That, for now, has put the malware out of commission.
Could they try to come back later? Sure. But they're going to have a hard time. After such a big slip-up, the hacker community probably won't trust them as much anymore. In that world, losing your reputation is almost as bad as losing control of the code.