A multinational cyber operation coordinated by Europol has dismantled a malware network that infected millions of computers worldwide. It is the latest international investigation targeting ransomware and other malware droppers that are usually delivered by emails containing infected links or attachments. The sting has impacted the global dropper ecosystem on the eve of the Paris Olympic Games as the sprawling action against botnets continues.

1. Introduction

On May 29, 2024, an international consortium of law enforcement agencies announced that a campaign called Operation Endgame had successfully targeted “droppers” including IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot leading to four arrests, the search of 16 locations and the takedown of 100 servers worldwide. (here and here) The malware variants facilitated attacks with ransomware and other malicious software. Information was released yesterday regarding eight men wanted by Germany who were added to Europol’s Most Wanted list. (here) Described as “the largest ever operation against botnets” the investigation led by France, Germany and the Netherlands also involved the United States, Britain and Denmark with support by Eurojust. (here) Armenia, Bulgaria, Lithuania, Portugal, Romania, Switzerland and Ukraine assisted by carrying out arrests and searches, interviewing suspects and dismantling servers and domains. Europol announced that one of the suspects allegedly earned at least €69 million in cryptocurrency by renting sites for the deployment of ransomware.

2. The Opening Gambit

Operation Endgame is described by Europol as the opening gambit in an ongoing campaign targeting malware droppers. “Operation Endgame does not end today,” Europol said in a media release. “New actions will be announced on the website Operation Endgame.” (here) In a post to Krebs on Security yesterday titled ‘Operation Endgame’ Hits Malware Delivery Platforms, investigative journalist Brian Krebs said that past malware takedowns have rarely been sustained after the initial takedown and arrests. Many targets reside in countries beyond the reach of international law enforcement so actions like Operation Endgame are increasingly focused on “mind games” such as trolling the hackers. (here) Here’s the introduction on the Operation Endgame website:

Welcome to The Endgame. International law enforcement and partners have joined forces. We have been investigating you and your criminal undertakings for a long time and we will not stop here. This is Season 1 of operation Endgame. Stay tuned. It sure will be exciting. Maybe not for everyone though. Some results can be found here, others will come to you in different and unexpected ways. Feel free to get in touch, you might need us. Surely, we could both benefit from an openhearted dialogue. You would not be the first one, nor will you be the last. Think about (y)our next move.

In a piece titled Cops Are Just Trolling Cybercriminals Now published by WIRED on May 28, 2024, Matt Burgess argued that western law enforcement officials have turned to psychological measures as a way to slow down Russian hackers and cut to the heart of the cybercrime ecosystem. These “nascent psyops” attempt to erode trust between black hats by “driving subtle wedges between fragile hacker egos” by sending them messages showing they’re being watched. “While law enforcement may be using some psychological tactics alongside more traditional takedowns and sanctions,” Mr. Burgess said, “[t]he US Intelligence Community’s research agency, the Intelligence Advanced Research Projects Activity (Iarpa), has started work on a project to create new cybersecurity defenses by exploiting the human weaknesses of attackers.” (here and here)

3. What is a dropper?

Europol has described malware droppers as, “a type of malicious software designed to install other malware onto a target system.” They are deployed at the first stage of an attack to allow a threat actor to bypass security measures and deliver additional harmful programs such as viruses, ransomware and spyware. In Operation Endgame, IcedID, initially categorized as a banking trojan, was further developed to serve other cybercrimes in addition to the theft of financial data. SystemBC facilitated anonymous communication between an infected system and command-and-control servers. Pikabot is a trojan used to gain initial access to infected computers which enables ransomware deployments, remote computer take-over and data theft. Smokeloader was primarily used as a downloader to install additional malicious softwares onto the systems it infects. Bumblebee, distributed mainly by phishing campaigns or compromised websites, was designed to enable the delivery and execution of further payloads on compromised systems. Europol described the operational phases of droppers this way:

• Infiltration: Droppers can enter systems through various channels, such as email attachments and compromised websites. They can also be bundled with legitimate software.
• Execution: Once executed, the dropper installs the additional malware onto the victim’s computer. This installation often occurs without the user’s knowledge or consent.
• Evasion: Droppers are designed to avoid detection by security software. They may use methods like obfuscating their code, running in memory without saving to disc, or impersonating legitimate software processes.
• Payload Delivery: After deploying the additional malware, the dropper may either remain inactive or remove itself to evade detection, leaving the payload to carry out the intended malicious activities.

In a post to TechTarget, a dropper is defined as, “a small helper program that facilitates the delivery and installation of malware.” (here) Spammers, for example, use droppers to, “circumvent the signatures that anti-virus programs use to block or quarantine malicious code.” If a dropper’s signature becomes recognized, it’s easier to change the dropper than rewrite the malicious code base. Droppers can be either pesistent or non-persistent. Persistent droppers copy themselves to a hidden file and stay there until they complete the task they’re created for. Non-persistent droppers install malware and then automatically remove themselves. Droppers are often spread by unwitting users who: (a) open an infected email attachment; (b) pick up a drive-by download on an infected website; (c) click on a malicious link in an email or on a website; or, (d) use an infected flash drive.

4. Conclusion

Following the takedowns by Operation Endgame, cybersecurity expert Troy Hunt reported yesterday that 16.5 million email addresses and 13.5 million passwords provided by law enforcement agencies were loaded into Have I Been Pwned, a service that notifies users if their email account or passwords have been compromised. (here and here) In terms of the email addresses, Mr. Hunt advised that 4.5 million had not been seen in previous data breaches already in HIBP. “We found 25k of our own individual subscribers in the corpus of data, plus another 20k domain subscribers which is usually organizations monitoring the exposure of their customers,” Mr. Hunt said. (here) So, what can you do if your data was compromised? Mr. Hunt passed along the “sage old advice” of using strong and unique passwords, turn on two factor authentication everywhere and keep your devices patched. If you find your password in the data – change it everywhere it was used.