# Using DDoS, DanaBot targets Ukrainian Ministry of Defense **[zscaler.com/blogs/security-research/danabot-launches-ddos-attack-against-ukrainian-ministry-defense](https://www.zscaler.com/blogs/security-research/danabot-launches-ddos-attack-against-ukrainian-ministry-defense)** ## March 7, 2022 Update DanaBot affiliate ID 5 has stopped DDoSing the Ukrainian Ministry of Defense’s webmail server [and started DDoSing a hardcoded IP address, 138.68.177[.]158. According to Passive DNS data,](https://www.virustotal.com/gui/ip-address/138.68.177.158/relations) this IP address has recently been associated with invaders-rf[.]com. This site claims to be (Google translated): “...an information resource of the Office of the National Security and Defense Council of Ukraine, which provides information about prisoners of war of the Russian Armed Forces who have invaded the territory of Ukraine since February 24, 2022. The portal will be available to Russian citizens, including soldiers' families or acquaintances, to obtain information on the condition and whereabouts of prisoners.” Given the threat actor’s previous targeting, this seems like the likely target. The DDoS attack payload was written and distributed similarly to the Ukrainian Ministry of Defense DDoS payload on March 2, 2022: ## Key Points A threat actor using DanaBot has launched a Distributed Denial of Service (DDoS) attack against the Ukrainian Ministry of Defense’s webmail server. The DDoS attack was launched by leveraging DanaBot to deliver a second-stage malware payload using the download and execute command. It is unclear whether this is an act of individual hacktivism, state-sponsored, or possibly a false flag operation. ----- [DanaBot, first discovered in 2018, is a malware-as-a-service platform where threat actors, known](https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot) as affiliates are identified by affiliate IDs. These affiliates purchase access to the platform from another threat actor who develops the malware and command and control (C2) panel, sets up and maintains the shared C2 infrastructure, and provides sales and customer support. Affiliates then distribute and use the malware as they see fit--mostly to steal credentials and commit banking fraud. On Wednesday March 2, 2022, in the midst of the 2022 Russian invasion of Ukraine, the threat actor identified by the affiliate ID 5 launched an HTTP-based Distributed Denial of Service (DDoS) attack against the Ukrainian Ministry of Defense’s webmail server with the URL hxxps://post.mil.gov[.]ua as shown in Figure 1: _Figure 1: Hardcoded DDoS Target Attacked by DanaBot With Affiliate ID 5_ At the time of publication, the webmail server is still online and reachable as shown in Figure 2. ----- _Figure 1: Ukrainian Ministry of Defense’s Webmail Server Targeted by DanaBot Affiliate ID 5_ The DDoS attack was launched using DanaBot's download and execute (command 2048 / subcommand 9) to deliver a new executable with the SHA-256 hash: [b61cd7dc3af4b5b56412d62f37985e8a4e23c64b1908e39510bc8e264ebad700](https://www.virustotal.com/gui/file/b61cd7dc3af4b5b56412d62f37985e8a4e23c64b1908e39510bc8e264ebad700?nocache=1) Similar to DanaBot, the downloaded DDoS executable is written in the Delphi programming language. Its sole functionality is to implement a bare-bones HTTP-based DDoS attack on a hardcoded target. The executable is very similar to the one used in another DanaBot DDoS attack that was documented in November 2021. In that attack, the DanaBot affiliate ID 4 launched a DDoS attack against a Russian language electronics forum. ## Conclusion While the timing and targeting certainly suggest this new attack is related to the 2022 Russian invasion of Ukraine, it is unclear whether this is an act of individual hacktivism, something statesponsored, or possibly a false flag operation. If the threat actor’s motive is to attack Ukraine, it is quite likely that in addition to the DDoS attack, the actor is using DanaBot’s more typical functionality such as credential theft and document theft against any relevant victims as well. ## Cloud Sandbox Detection ----- ----- ## Indicators of Compromise **IOC** **Notes** 7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513 SHA256 hash for the affiliate ID 5 DanaBot loader component 192.236.161[.]4 DanaBot affiliate ID 5 C2 server 23.106.122[.]14 DanaBot affiliate ID 5 C2 server 5.9.224[.]217 DanaBot affiliate ID 5 C2 server ockiwumgv77jgrppj4na362q4z6flsm3uno5td423jj4lj2f2meqt6ad[.]onion DanaBot affiliate ID 5 C2 server b61cd7dc3af4b5b56412d62f37985e8a4e23c64b1908e39510bc8e264ebad700 SHA256 hash for the DDoS attack tool targeting the Ukrainian Ministry of Defense fd217dde8d03cfb9179f5ad783665bb67c47a92278971e28c3d399e7ac6f0a54 SHA256 hash for the DDoS attack tool targeting invadersrf\.com c732d57f5b3354c368e54a16b193457d6f06b707c0388c5643677a9de13e04db SHA256 hash for the DDoS attack tool targeting invadersrf\.com ----- 9706a9d8aacea34071f6f1691dc3c1af3d01868fc17deb83a4b8f33e2342a9d3 SHA256 hash for the DDoS attack tool targeting invadersrf\.com **About ThreatLabz** ThreatLabz is the security research arm of Zscaler. This world-class team is responsible for hunting new threats and ensuring that the thousands of organizations using the global Zscaler platform are always protected. In addition to malware research and behavioral analysis, team members are involved in the research and development of new prototype modules for advanced threat protection on the Zscaler platform, and regularly conduct internal security audits to ensure that Zscaler products and infrastructure meet security compliance standards. ThreatLabz regularly [publishes in-depth analyses of new and emerging threats on its portal, research.zscaler.com.](https://research.zscaler.com/) -----