Infra
Global police operation strikes against malware infrastructure
A coalition of international law enforcement agencies carried out what they said was the “largest ever” operation to counter botnet and dropper malware by taking down or disrupting more than 100 servers, seizing 2,000 domains and identifying nearly 70 million euros earned by one of the main suspects in the case.
Officials with Europol announced early Thursday that “Operation Endgame” targeted droppers — malware used to get other malware onto a system — used extensively to facilitate a range of consequential cybercrimes, including IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot.
As part of the operation, authorities made one arrest in Armenia and three in Ukraine, and eight suspects linked to the activities and wanted by Germany will be added to Europe’s Most Wanted list, Europol said in its statement.
German authorities released images of the eight suspects and said the operation, which began in 2022, aims “to destroy the most relevant malware families in the category of initial access malware (so-called droppers or loaders),” according to a machine translation.
U.S. law enforcement agencies participated in the operation, along with their counterparts from the U.K., Denmark, France, Germany, Netherlands, Portugal and Ukraine.
As is increasingly common in cybercrime law enforcement disruptions, authorities have leaned into the messaging aspects of their operation. A website created in both English and Russian warns criminals involved in the dropper ecosystem to use caution.
“We have been investigating you and your criminal undertakings for a long time and we will not stop here,” the website reads. “This is Season 1 of operation Endgame. Stay tuned. It sure will be exciting. Maybe not for everyone though. Some results can be found here, others will come to you in different and unexpected ways. Feel free to get in touch, you might need us. Surely, we could both benefit from an openhearted dialogue. You would not be the first one, nor will you be the last. Think about (y)our next move.”
The site included a contact email address and Telegram handle, as well as highly produced videos, urging people with information to “reach out.”
As part of the operation, roughly 16.5 million email addresses and 13.5 million unique passwords collected by the malware strains targeted by police were shared with Have I Been Pwned, a service used to notify users that their email and passwords have been published or compromised, said Troy Hunt, the site’s operator.
The droppers in question have been tied to a multitude of cybercrime operations over the years. IcedID, for instance, “was a near constant presence in email inboxes from mid-2017 until the botnet was voluntarily dismantled by its operators in November 2023,” and had evolved from being used to target financial institutions in fraud operations to providing initial access to ransomware distributors, the Secureworks Counter Threat Unit told CyberScoop in an email Thursday.
One of the others, SmokeLoader, has been “a key enabler of cybercrime for nearly 15 years,” the CTU said, with various plugins that allowed credential theft, data theft, remote access and the launch of DDoS attacks.
Don Smith, CTU’s vice president of threat intelligence, said in the email that the operation continues an “impressive run” of law enforcement takedowns, referring to recent operations such as the the LockBit ransomware gang and cybercrime marketplaces
“Individually these operations have been significant, in concert they demonstrate that whilst the malicious actors may be out of reach of the courts, their botnets and infrastructure is not, it can be compromised and taken offline,” he said. “We’re never going to get to the kernel of some of these organized criminal gangs, but if we can minimize the impact they have by reducing their ability to scale, their ability to deploy, then that’s a good thing.”