DanaBot launches DDoS attack against Ukrainian Ministry of Defense

0

Important points

A threat actor using DanaBot launched a distributed denial of service (DDoS) attack against the Ukrainian Ministry of Defense’s webmail server.
The DDoS attack was launched by using DanaBot to deliver a second stage malware payload using the download and execute command.
It is unclear whether this is an act of individual hacktivism, state sponsored, or possibly a false flag operation.

First discovered in 2018, DanaBot is a malware-as-a-service platform that uses affiliate IDs to identify threat actors, known as affiliates. These affiliates purchase access to the platform from another threat actor that develops the malware and command and control panel (C2), sets up and maintains the common C2 infrastructure, and provides sales and customer support. Affiliates then distribute and use the malware at their discretion – mainly to steal credentials and commit bank fraud.

On Wednesday, March 2, 2022, in the midst of Russia’s 2022 invasion of Ukraine, the threat actor identified by Partner ID 5 launched an HTTP-based Distributed Denial of Service (DDoS) attack against the webmail server of the Ukrainian Department of Defense URL hxxps://post.mil.gov[.]including as shown in Figure 1:

Figure 1: Hard-coded DDoS target attacked by DanaBot with Partner ID 5

At the time of publication, the webmail server is still online and reachable, as shown in Figure 2.

Figure 1: Ukrainian Ministry of Defense webmail server attacked by DanaBot partner ID 5

The DDoS attack was launched using DanaBot’s Download and Execute (Command 2048 / Subcommand 9) to deliver a new executable with the SHA-256 hash: b61cd7dc3af4b5b56412d62f37985e8a4e23c64b1908e39510bc8e264ebad700

Similar to DanaBot, the downloaded DDoS executable is written in Delphi programming language. Its only function is to implement a simple HTTP-based DDoS attack on a hard-coded target. The executable is very similar to the one used in another DanaBot DDoS attack documented in November 2021. In this attack, the DanaBot subsidiary ID 4 launched a DDoS attack on a Russian-language electronics forum.

Conclusion

While the timing and targeting certainly suggest this new attack is related to Russia’s invasion of Ukraine in 2022, it’s unclear whether it was an act of individual hacktivism, something state-sponsored, or possibly a false flag operation . If the threat actor’s motive is to attack Ukraine, it is very likely that the actor will also use the more typical functionality of DanaBot such as credential theft and document theft against relevant victims in addition to the DDoS attack.

Cloud sandbox detection

Indicators of compromise

I.O.C

Remarks

7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513

SHA256 hash for affiliate ID 5 DanaBot Loader component

192.236.161[.]4

DanaBot Affiliate ID 5 C2 Server

23.106.122[.]14

DanaBot Affiliate ID 5 C2 Server

5.9.224[.]217

DanaBot Affiliate ID 5 C2 Server

ockiwumgv77jgrppj4na362q4z6flsm3uno5td423jj4lj2f2meqt6ad[.]onion

DanaBot Affiliate ID 5 C2 Server

b61cd7dc3af4b5b56412d62f37985e8a4e23c64b1908e39510bc8e264ebad700

SHA256 hash for DDoS attack tool targeting Ukrainian Defense Ministry

*** This is a Security Bloggers Network syndicated blog from the blog category feed written by Dennis Schwarz. Read the original post at: https://www.zscaler.com/blogs/security-research/danabot-launches-ddos-attack-against-ukrainian-ministry-defense

Share.

About Author

Comments are closed.