Some of the most prominent malware-dropping botnets in operation today, including Bumblebee, IcedID, Pikabot, Smokeloader, SystemBC and Trickbot, have been disrupted in a coordinated law enforcement action orchestrated through the European Union’s (EU’s) Europol agency.
Operation Endgame, which enlisted the support of both the UK’s National Crime Agency (NCA) and the US’s FBI, as well as agencies from Armenia, Bulgaria, Denmark, France, Germany, Lithuania, the Netherlands, Portugal, Romania, Switzerland and Ukraine, unfolded between 27 and 29 May 2024.
Industry support came from a number of cyber specialists including Bitdefender, Cryptolaemus, Sekoia, Shadowserver, Team Cymru, Prodaft, Proofpoint, NFIR, Computest, Northwave, Fox-IT, HaveIBeenPwned, Spamhaus and DIVD.
It focused on disrupting cyber criminal operations through takedowns of key infrastructure, asset freezes and arrests of high-value targets. The operation saw police make four arrests – one in Armenia and three in Ukraine; search 16 properties; take down over 100 servers; and seize 2,000 domains.
The investigation has also discovered that one of the main suspects involved has made at least €69m in cryptocurrency from renting out criminal infrastructure sites to ransomware gangs. This individual is being monitored and the authorities have legal permission to seize their assets in a future operation.
In a message posted on a dedicated Operation Endgame microsite, Europol said: “Welcome to The Endgame. International law enforcement and partners have joined forces. We have been investigating you and your criminal undertakings for a long time and we will not stop here.
“This is Season 1 of Operation Endgame. Stay tuned. It sure will be exciting. Maybe not for everyone though. Some results can be found here, others will come to you in different and unexpected ways.
“Feel free to get in touch, you might need us,” it continued. “Surely, we could both benefit from an open-hearted dialogue. You would not be the first one, nor will you be the last. Think about (y)our next move.”
Europol claimed that Operation Endgame is the largest ever operation against these botnets, which are primarily used as droppers to deliver ransomware and other malicious payloads.
“Operation Endgame does not end today,” said Europol. “New actions will be announced on the website Operation Endgame. In addition, suspects involved in these and other botnets, who have not yet been arrested, will be directly called to account for their actions. Suspects and witnesses will find information on how to reach out via this website.”
How droppers work
Malware droppers are malicious software packages that in general do not cause damage to targeted computers, but are designed instead to be used as a staging post for other malwares – often ransomware lockers. Because of their utility to ransomware gangs, targeting them for disruption can have major downstream impacts.
They appear in the beginning stages of cyber attacks and help cyber criminals sneak past defences, evading detection to execute their attacks.
Those targeted in Operation Endgame have some differences between them in terms of how they work and exactly what they do – for example, many of them arrive as attachments to malicious phishing emails, others are inadvertently downloaded from compromised websites, and they can even be “bundled” with legitimate software – but all ultimately serve the same purpose.
Matt Hull, global head of threat intelligence at NCC Group, explained that because these botnets are essentially networks of internet-connected devices operating at the behest of a cyber criminal controller, it’s quite easy – in some cases, likely – to co-opt devices into such schemes without their legitimate owners’ knowledge.
In the UK, recent legislation in the form of the Product Security and Telecommunications Infrastructure Act – which came into force at the end of April 2024 – adds additional guardrails that may prevent devices belonging to ordinary members of the public from being press-ganged into criminal activity, but it’s still important to be aware of the botnet threat and take steps to protect your devices to avoid personal risk and impact on their normal operation.
“You should ensure your operating systems and applications are up to date, change default passwords on any IoT [internet of things] devices, and protect your online accounts with strong passwords and use multi-factor authentication where possible,” said Hull.
“It is also important to think before you click on links or open email attachments, as botnet malware is often spread via spam or phishing emails. It is good practice to always double-check that you are opening something legitimate.”
What comes next?
The security community has reacted positively to news of the sting, but their support is tempered by the knowledge that there is still much work to be done, and successful operations do not always produce long-term results.
“The authorities may have control of the infrastructure now, but countless devices likely remain infected with dormant botnet malware,” said Darktrace threat analysis head Toby Lewis.
“Seizing servers is just the first step – they need to act quickly to notify victims and provide clear guidance on removing malware and securing systems … Worst case scenario, attackers could regain command of a seized domain and swiftly reactivate the compromised devices that have been lying in wait.
“Law enforcement must remain vigilant, closely monitoring for any signs of the criminals attempting to establish new command and control servers or resurging botnet activity,” he said. “If the attackers try to regain their foothold, authorities need to be ready to rapidly alert victims.”
Lewis said a sustained effort would now be needed to clean up and prevent reinfection, and this required greater coordination between public and private sector partners, and transparent communication throughout.
“While this sting represents significant progress, it’s just one successful operation in the ongoing fight against cyber crime,” he said. “Cyber criminals are persistent and adaptive. We must remain equally diligent and proactive.”
US operation
Separately from Operation Endgame, an action led by the US Department of Justice (DoJ) has disrupted another large botnet implicated in ransomware attacks, fraud, online bullying and harassment, export violations, child exploitation, and even bomb threats.
This operation saw the arrest of a joint Chinese-St Kitts and Nevis national, named by the DoJ as YunHe Wang, aged 35, on criminal charges arising from the deployment of malware and the operation of the 911 S5 residential proxy service.
In indictments unsealed in the US last week, Wang was accused of creating and disseminating malware to create a network of millions of residential Windows computers associated with 19 million unique IP addresses, and making millions of dollars by offering cyber criminals access to them.
The malware was allegedly propagated through two virtual private networks (VPNs), MaskVPN and DewVPN, and pay-per-install services that bundled Wang’s malware with other files, generally pirate copies of licensed software or copyright materials. All of this was managed through about 150 dedicated servers – 76 of them leased from US-based service providers.
The DoJ claimed cyber criminals using 911 S5 in their attack chains may have stolen billions of dollars, including through over 550,000 fraudulent unemployment insurance claims against the US Covid-19 relief programme, which resulted in losses of $5.9bn to American taxpayers. Millions more were stolen from financial institutions.
Additionally, cyber criminals using 911 S5 were able to buy goods with stolen credit cards or criminally derived proceeds and export them outside the US in contravention of local export controls, and it was criminals located in Ghana using stolen credit cards to place fraudulent orders on the US Army and Air Force Exchange Service’s ShopMyExchange e-commerce platform that initially drew the attention of the authorities.
Wang himself is alleged to have made $99m from 911 S5, which he used to buy property in the US, St Kitts and Nevis, China, Singapore, China, and the UAE. The indictment additionally identified a number of high-value assets, including a 2022 Ferrari F8 Spider S-A, a Rolls-Royce and luxury wristwatches.
“The conduct alleged here reads like it’s ripped from a screenplay: a scheme to sell access to millions of malware-infected computers worldwide, enabling criminals over the world to steal billions of dollars, transmit bomb threats and exchange child exploitation materials – then using the scheme’s nearly-$100m in profits to buy luxury cars, watches and real estate,” said Matthew Axelrod, assistant secretary for export enforcement at the US Department of Commerce’s Bureau of Industry and Security.