In what Europol calls the largest-ever takedown operation against botnets, law enforcement agencies from different countries managed to disrupt the infrastructure, seize assets, and arrest suspects behind some of the most widespread malware droppers.
Malware droppers are malicious programs that are controlled as part of a botnet and are primarily used to deploy additional malware payloads, usually as a service to other cybercriminal groups. In that sense they are part of the initial access brokers that ransomware gangs and other cybercriminals use to gain access to networks.
The law enforcement action, dubbed Operation Endgame, targeted a range of droppers, including IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, and Trickbot, and was led by authorities in France, Germany, and the Netherlands who worked closely with partners from Denmark, the US, and the UK, coordinated via Europol.
Police officers from Armenia, Bulgaria, Lithuania, Portugal, Romania, Switzerland, and Ukraine, as well as many private cybersecurity companies and organizations, supported the operation in various ways.
The authorities managed to seize over 2,000 domain names and more than 100 servers used in the infrastructure of these malware families. Four suspects were arrested, one in Armenia and three in Ukraine, and eight fugitives were added to Europe’s Most Wanted list.
Operation Endgame’s seizure and arrests came within 24 hours of another law enforcement operation’s takedown of botnet network “911 S5,” along with the arrest of a People’s Republic of China national, in a joint effort led by the US Department of Justice.
Malware droppers at the core of cybercrime ecosystem
Botnets have been around for decades, but their purpose has changed over time based on what made the most money for cybercriminals. At some point, the largest botnets were used to hijack email addresses and address books to send spam. At other times they deployed Trojans capable of stealing online banking credentials from browser sessions, and sometimes botnets were used to launch DDoS attacks as a service.
Some of those specializations still exist, but today some of the largest botnets are used as malware distribution platforms on behalf of the cybercriminal ecosystem. Ransomware has been the most profitable cybercriminal activity for many years, and ransomware gangs are always on the lookout for initial access into new victim networks, something that malware dropper operators specialize in.
Malware droppers are usually distributed through mass spear phishing campaigns. Their managers cast a wide net and then sort out the victims based on how valuable they could be to their cybercriminal customers. One of the suspects investigated in Operation Endgame earned over €69M in cryptocurrency by providing the infrastructure to deploy ransomware, Europol said.
TrickBot or TrickLoader, which was targeted in this operation, is one of the longest-lived botnets on the internet and has survived multiple takedown attempts. TrickBot started out as a Trojan program focused on stealing online banking credentials, but its modular architecture allowed it to become one of the primary delivery vehicles for other malware payloads.
TrickBot operators had a very tight business relationship with the notorious Ryuk gang, whose ransomware for a long time was distributed almost exclusively through the botnet. The TrickBot creators added functionalities that seemed to cater to nation-state APT groups and were also behind another malware dropper called BazarLoader.
Similar to TrickBot, IcedID first appeared in 2017 and was originally a banking Trojan designed to inject rogue content into local online banking sessions — an attack known as webinject. Since then it too grew into a malware distribution platform used by many cybercriminal groups, including initial access brokers that serve ransomware gangs.
It’s worth pointing out that some of these malware droppers and loaders distribute one another. For example, IcedID was known to distribute Bumblebee, another loader targeted by this law enforcement action.
SystemBC was used to establish anonymous communications between infected systems and command-and-control servers, and SmokeLoader is another initial access tool used to deploy additional malware payloads.
Regardless of their original purpose, all of these tools are now being used to deploy ransomware and are often the first link in the infection chain, according to Europol and its partners. This shows how ransomware and its financial success has shaped the cybercriminal ecosystem over the past several years by refocusing its needs on initial access and payload delivery.