A vulnerability in the DanaBot malware operation introduced in June 2022 update led to the identification, indictment, and dismantling of their operations in a recent law enforcement action.
DanaBot is a malware-as-a-service (MaaS) platform active from 2018 through 2025, used for banking fraud, credential theft, remote access, and distributed denial of service (DDoS) attacks.
Zscaler's ThreatLabz researchers who discovered the vulnerability, dubbed 'DanaBleed,' explain that a memory leak allowed them to gain a deep peak into the malware's internal operations and the people behind it.
Leveraging the flaw to collect valuable intelligence on the cybercriminals enabled an international law enforcement action named 'Operation Endgame' to take DanaBot infrastructure offline and indict 16 members of the threat group.
DanaBleed
The DanaBleed flaw was introduced in June 2022 with DataBot version 2380, which added a new command and control (C2) protocol.
A weakness in the new protocol's logic was in the mechanism that generated the C2 server's responses to clients, which was supposed to include randomly generated padding bytes but didn't initialize newly allocated memory for these.
Zscaler researchers collected and analyzed a large number of C2 responses that, due to the memory leak bug, contained leftover data fragments from the server's memory.
This exposure is analogous to the HeartBleed problem discovered in 2014, impacting the ubiquitous OpenSSL software.
As a result of DanaBleed, a broad array of private data was exposed to the researchers over time, including:
... continue reading