Europol-Coordinated Operation Against Botnets Dismantles Dropper Malware Ecosystem

• An internationally coordinated operation targeted the cyberinfrastructure used for malware.
• Four people have been arrested, and more than 100 internet servers have been taken down or disrupted in Europe, the UK, the US, and elsewhere.
• The sting disabled several global malware droppers that facilitated cyberattacks.

Operation Endgame, as per the European Union's law enforcement agency, which called it "the largest ever operation against botnets, which play a major role in the deployment of ransomware,” was carried out between May 27 and 29.

The actions were aimed at disrupting criminal services and taking down infrastructure for malware droppers, including Bumblebee, IcedID, Pikabot, Smokeloader, and SystemBC, which facilitated attacks with ransomware and other malicious software. 

Malware droppers are a type of malicious software used during the first stage of a malware attack. They allow cybercriminals to bypass security measures and deploy additional harmful programs onto a target system (which was the primary use of SmokeLoader) through the following operation phases: infiltration, execution, evasion, and payload delivery.

Anonymous communication between an infected system and command-and-control servers was enabled by SystemBC, and Bumblebee was distributed mostly through phishing campaigns or compromised websites to deliver and execute further payloads. Pikabot is a trojan used to get initial access and facilitate ransomware deployments, remote computer take-over, and data theft, and IcedID (also known as BokBot), previously a banking trojan, had been further developed to deploy ransomware.

The procedure had over 2,000 domains under the control of law enforcement, and after 16 location searches, 11 of which were in Ukraine, it resulted in one arrest in Armenia and three people detained in Ukraine and over 100 servers taken down or disrupted in Bulgaria, Canada, Germany, Lithuania, the Netherlands, Romania, Switzerland, the United Kingdom, the United States, and Ukraine.

According to the investigators, one of the main suspects earned at least EUR 69 million ($74.5 million) in cryptocurrency by renting ransomware-deploying websites. Eight other fugitives wanted for their involvement in serious cybercrime activities were linked to this case and added to Europe’s Most Wanted list.

The operation was initiated and led by France, Germany, and the Netherlands, supported by Eurojust, and involved Denmark, the UK, and the US. Other European countries also participated, making arrests, conducting searches, interviewing suspects, and seizing or taking down servers and domains. 

Several private partners participated as well, including Bitdefender, Cryptolaemus, Sekoia, Shadowserver, Team Cymru, Prodaft, Proofpoint, NFIR, Computest, Northwave, Fox-IT, HaveIBeenPwned, Spamhaus, and DIVD.