Between 27 and 29 May 2024, an international law enforcement operation coordinated by Europol, codenamed Operation Endgame, targeted malware droppers like IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, and Trickbot.
The joint actions were carried out by authorities in the Netherlands, Germany, France, Denmark, United States, and the United Kingdom with support from Europol and Eurojust. In addition, with the cooperation of the aforementioned authorities, there have also been police actions in Ukraine, Switzerland, Armenia, Portugal, Romania, Canada, Lithuania and Bulgaria for the arrest or interrogation of suspects, searches or the seizure and downing of servers.
It is the largest operation ever against botnets, crucial in deploying ransomware.
These malicious codes are essential in the attack chain, they act as loaders for additional payloads and some of them are also used to perform post-exploitation activities, including privilege escalation, reconnaissance, and credential theft.
The operation aimed to disrupt criminal services by arresting key individuals, dismantling infrastructures, and freezing illegal proceeds. Europol states that this operation had a global impact on the dropper ecosystem, which facilitated ransomware and other malicious attacks. Following the operation, eight fugitives linked to these activities will be added to Europe’s Most Wanted list on 30 May 2024. This large-scale operation, led by France, Germany, and the Netherlands, and supported by Eurojust, involved multiple countries and private partners.
“The coordinated actions led to:
Furthermore, it has been discovered through the investigations so far that one of the main suspects has earned at least EUR 69 million in cryptocurrency by renting out criminal infrastructure sites to deploy ransomware.” reads the press release published by EUROPOL. “The suspect’s transactions are constantly being monitored and legal permission to seize these assets upon future actions has already been obtained.
Droppers are used to install other malware into target systems. They serve as the first stage of a malware attack, enabling attackers to deploy harmful programs like viruses, ransomware, or spyware.
Below are the descriptions for the botnets targeted by the operation:
“Operation Endgame does not end today. New actions will be announced on the website Operation Endgame. In addition, suspects involved in these and other botnets, who have not yet been arrested, will be directly called to account for their actions. Suspects and witnesses will find information on how to reach out via this website.” concludes the announcement.
However, the criminal activity behind the targeted botnets is still continuing, a malware researcher Rohit Bansal that goes online with the handle “R.” warns of a still active server spreading the SystemBC malware.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Operation Endgame)