Europol on Thursday said it shut down the infrastructure associated with several malware loader operations such as IcedID, SystemBC, PikaBot, SmokeLoader, Bumblebee, and TrickBot as part of a coordinated law enforcement effort codenamed Operation Endgame.
“The actions focused on disrupting criminal services through arresting High Value Targets, taking down the criminal infrastructures and freezing illegal proceeds,” Europol said in a statement. “The malware […] facilitated attacks with ransomware and other malicious software.”
The action, which took place between May 27 and May 29, has resulted in the dismantling of over 100 servers worldwide and the arrest of four people, one in Armenia three in Ukraine, following searches across 16 locations in Armenia, the Netherlands, Portugal, and Ukraine.
The servers, according to Europol, were located in Bulgaria, Canada, Germany, Lithuania, the Netherlands, Romania, Switzerland, Ukraine, the United Kingdom, and the United States. More than 2,000 domains have been confiscated by law enforcement.
One of the main suspects is alleged to have netted at least €69 million ($74.6 million) by renting out criminal infrastructure sites to deploy ransomware.
“Via so-called ‘sinkholing’ techniques or the use of tools to access the systems of operators behind the malware, investigators managed to block and take down the botnets,” Eurojust said.
Separately, German authorities are seeking the arrest of seven people associated with a criminal organization whose aim was to spread the TrickBot malware. An eighth person is suspected of being one of the ringleaders of the group behind SmokeLoader.
According to the U.S. Federal Bureau of Investigation (FBI), the malware groups are estimated to have infected millions of computers around the world. This comprised an unnamed hospital network, which “not only cost millions of dollars but alarmingly put people’s lives at risk due to the compromised critical care online system.”
Enterprise security Proofpoint told The Hacker News that it shared information with law enforcement about the botnet infrastructure as well as the inner workings of the malware artifacts, “identifying patterns in how the threat actors set up their servers.”
Loaders, also known as droppers, are malicious software designed to gain initial access and deliver additional payloads onto compromised systems, including ransomware variants. They are typically propagated via phishing campaigns, compromised sites, or bundled with popular software.
“Droppers are designed to avoid detection by security software,” Europol said. “They may use methods like obfuscating their code, running in memory without saving to disk, or impersonating legitimate software processes.”
“After deploying the additional malware, the dropper may either remain inactive or remove itself to evade detection, leaving the payload to carry out the intended malicious activities.”
The agency described the takedowns as the largest-ever operation against botnets, involving authorities from Armenia, Bulgaria, Denmark, France, Germany, Lithuania, the Netherlands, Portugal, Romania, Switzerland, Ukraine, the United Kingdom, and the United States.
“Law enforcement continue their impressive run of takedown operations with an impressive operation against the loader ecosystem,” Don Smith, vice president of Threat Intelligence, Secureworks Counter Threat Unit (CTU), said in a statement shared with The Hacker News.
“Individually these operations have been significant, in concert they demonstrate that whilst the malicious actors may be out of reach of the courts, their botnets and infrastructure is not, it can be compromised and taken offline.”
“We’re never going to get to the kernel of some of these organized criminal gangs, but if we can minimize the impact they have by reducing their ability to scale, their ability to deploy, then that’s a good thing.”
(The story was updated after publication with additional comments from Proofpoint and Secureworks.)