Between May 27 and 29, 2024, a coordinated effort known as Operation Endgame, led by Europol, targeted a range of malicious software droppers, including IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, and Trickbot.
This operation aimed to disrupt criminal services by arresting high-value targets, dismantling criminal infrastructures, and freezing illegal proceeds.
The operation had a significant global impact on the dropper ecosystem, which facilitates ransomware and other malicious software attacks.
Largest Operation Against Botnets
This operation marks the largest-ever crackdown on botnets, which are crucial in deploying ransomware.
Initiated and led by France, Germany, and the Netherlands, the operation also received support from Eurojust and involved multiple countries, including Denmark, the United Kingdom, and the United States.
All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo
Additional support came from Armenia, Bulgaria, Lithuania, Portugal, Romania, Switzerland, and Ukraine, with various actions such as arrests, suspect interviews, searches, and server and domain takedowns.
Key Outcomes of Operation Endgame
The coordinated actions led to significant results:
- Arrests: 4 arrests (1 in Armenia and 3 in Ukraine)
- Location Searches: 16 searches (1 in Armenia, 1 in the Netherlands, 3 in Portugal, and 11 in Ukraine)
- Server Disruptions: Over 100 servers were taken down or disrupted across Bulgaria, Canada, Germany, Lithuania, the Netherlands, Romania, Switzerland, the United Kingdom, the United States, and Ukraine
- Domain Control: Over 2,000 domains now under law enforcement control
Investigations revealed that one of the main suspects earned at least EUR 69 million in cryptocurrency by renting out criminal infrastructure sites for ransomware deployment.
Authorities are monitoring the suspect’s transactions and have obtained legal permission to seize these assets in future actions.
What is a Dropper?
Malware droppers are malicious software designed to install other malware onto a target system.
They are used in the initial stage of a malware attack, allowing criminals to bypass security measures and deploy additional harmful programs, such as viruses, ransomware, or spyware.
While droppers do not usually cause direct damage, they are crucial for accessing and implementing harmful software on affected systems.
How Droppers Work
- Infiltration: Droppers can enter systems through various channels, such as email attachments or compromised websites, and can be bundled with legitimate software.
- Execution: Once executed, the dropper installs additional malware onto the victim’s computer, often without the user’s knowledge or consent.
- Evasion: Droppers are designed to avoid detection by security software, using methods like code obfuscation, running in memory without saving to disk, or impersonating legitimate software processes.
- Payload Delivery: After deploying the additional malware, the dropper may either remain inactive or remove itself to evade detection, leaving the payload to carry out malicious activities.
Specific Droppers Targeted
- SystemBC: Facilitated anonymous communication between infected systems and command-and-control servers.
- Bumblebee: Distributed mainly via phishing campaigns or compromised websites, enabling the delivery and execution of further payloads.
- SmokeLoader: Used primarily as a downloader to install additional malicious software.
- IcedID (BokBot): Initially a banking trojan, now used for various cybercrimes, including financial data theft.
- Pikabot: A trojan used to gain initial access to infected computers, enabling ransomware deployments, remote computer takeovers, and data theft.
Operation Endgame does not end here. New actions will be announced on the Operation Endgame website.
Suspects involved in these and other botnets who have not yet been arrested will be held accountable.
Information on how to reach out to suspects and witnesses will be available on the website.
Command Post at Europol
Europol facilitated information exchange and provided analytical, crypto-tracing, and forensic support. To coordinate the operation, Europol organized over 50 coordination calls and an operational sprint at its headquarters.
Over 20 law enforcement officers from Denmark, France, Germany, and the United States supported the coordination from the command post at Europol, with hundreds of other officers involved globally.
A virtual command post allowed real-time coordination between Armenian, French, Portuguese, and Ukrainian officers during field activities.
National Authorities Involved
EU Member States:
- Denmark: Danish Police (Politi)
- France: National Gendarmerie (Gendarmerie Nationale) and National Police (Police Nationale); Public Prosecutor Office JUNALCO (National Jurisdiction against Organised Crime) Cybercrime Unit; Paris Judicial Police (Préfecture De Police de Paris)
- Germany: Federal Criminal Police Office (Bundeskriminalamt), Prosecutor General’s Office Frankfurt am Main – Cyber Crime Center
- Netherlands: National Police (Politie), Public Prosecution Office (Openbaar Ministerie)
Non-EU Member States:
- United Kingdom: National Crime Agency
- United States: Federal Bureau of Investigations, United States Secret Service, The Defence Criminal Investigative Service, United States Department of Justice
Operation Endgame represents a significant milestone in the fight against cybercrime, demonstrating the power of international cooperation and coordination.
The operation’s success in disrupting major botnets and arresting key suspects sends a strong message to cybercriminals worldwide.
Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.