On May 30, 2024, the European Union Agency for Law Enforcement Cooperation (Europol) announced the results of Operation Endgame, a joint multinational operation that the agency says executed the “largest ever operation against botnets.” Botnets are networks of hacked computers that can be used to spread “droppers” or “loaders,” which are malware that download other malware. The botnets and malware targeted in this operation ran at an industrial scale and have been responsible for billions of dollars in losses related to data breaches, ransomware and fraud. The action also resulted in the real-world identification of alleged Russian cybercriminals, a tactic that has often been used by Western law enforcement to create unease among suspects that otherwise cannot be arrested. It also employed trolling tactics, warning perpetrators to “Think About (Y)Our Next Move” and portrayed nervous versions of them in illustrated videos on a dedicated website. Authorities teased that more details will be revealed as the operation continues. In this post, we will explain the malware programs targeted by this action, their significance and what defenders can expect in the coming weeks following this action. We've also included screenshots of threat-hunting packages on our Hunter platform that illustrate the types of detections we've written to detect activity from some of these malware applications.
Background: Cybercrime-as-a-Service
Cybercrime has become highly modular, with threat actors specializing in providing different services to other cybercriminals, an economic system known as cybercrime-as-a-service. The distribution of malware is one of the most crucial services. Having consistent supplies of computers infected with malware that are under the control of bad actors has fueled the never-ending stream of data breaches, ransomware attacks and financial frauds. Botnets are created in several ways, including sending spam and phishing emails with malicious attachments. Botnets are also created through fraudulent software downloads as well as malicious advertisements (malvertising) and misleading websites that are pushed to the top of search rankings (search engine optimization (SEO) poisoning).
Botnets are monetized in several ways. Botnet operators rent them out to distribute malware on behalf of other cybercriminals, a scheme often referred to as “install” services. There are constant efforts to refresh botnets with newly infected computers. Security teams and end users see these efforts in spam runs, which seek to trick users into clicking links or installing applications. Once a computer is infected with malware, it can be mined for data such as login credentials and financial information. Initial access brokers (IABs) sell infected computers to other criminals such as ransomware groups, where those groups then use that access to deliver file-encrypting malware as part of extortion attempts.
It’s an endless, 24/7 fight, as these botnets are engineered with redundancy and resiliency to make them difficult to eliminate. Intel 471’s Malware Intelligence team monitors the activities of these botnets, observing how these malware networks are leveraged to distribute other malware and extracting indicators of compromise (IoCs) and tactics, techniques and procedures (TTPs) that can help security teams stop infections or hunt for signs of infection.
Botnet Takedown
Operation Endgame resulted in the disruption of infrastructure used by the Bumblebee, IcedID, Pikabot, SystemBC, SmokeLoader and Trickbot botnets between May 27, 2024, and May 29, 2024. These coordinated measures led to four arrests — one in Armenia and three in Ukraine — 16 location searches, the takedown of more than 100 servers and law enforcement taking control of more than 2,000 domains. Additionally, Europol added eight more fugitives linked to these criminal activities to Europe’s Most Wanted list. This included the following Russian nationals:
Airat Rustemovich Gruber: Administrator of SmokeLoader botnet.
Oleg Vyacheslavovich Kucherov aka gabr: Member of Trickbot gang, coder.
Sergey Valerievich Polyak aka cypher: Member of Trickbot gang, malware disseminator.
Fedor Aleksandrovich Andreev aka azot, angelo: Member of Trickbot gang, coder and tester.
Georgy Sergeevich Tesman aka core: Member of Trickbot gang, crypting specialist.
Anton Alexandrovich Bragin aka hector: Member of Trickbot gang, coder.
Andrei Andreyevich Cherepanov aka fast, basil: Member of Trickbot gang, coder of spambot, crypting specialist.
Nikolai Nikolaevich Chereshnev aka biggie: Member of Trickbot gang, developer.
Europol also released two videos on their website dedicated to Operation Endgame where they mentioned two threat actors using the Psevdo and Superstar handles.
Malware Targets
Here’s a rundown of the botnets and their associated malware programs targeted by Operation Endgame.
Bumblebee: Bumblebee is a malware loader that appeared in September 2021. As its popularity increased in the underground, it was the subject of a report in March 2022 by Google’s Threat Analysis Group. Written in the C++ programming language, Bumblebee is used by multiple threat actors to secure initial footholds in high-value enterprise environments.
It has been associated with several ransomware and threat actor groups, including the now-defunct Conti ransomware-as-a-service (RaaS) group, Akira and Trickbot. When Conti was still active, Intel 471 observed the group favoring Bumblebee as a loader over BazarLoader, another type of loader malware. Bumblebee has been observed dropping a variety of follow-on payloads, including Cobalt Strike, Metasploit, the domain enumeration tool ADFind and other malware, including Bokbot aka IcedID. In September 2023, we observed improvements in Bumblebee aimed at making it more resilient (see the blog post “Bumblebee Loader Resurfaces in New Campaign”). We've created up-to-date threat-hunt packages for Bumblebee in our Hunter threat-hunting platform, examples of which can be seen here.
IcedID aka Bokbot: Bokbot is a mature project that was under development since 2017 and has its roots in banking malware. The actors behind the development of Bokbot historically have shown a relationship with the Conti/Trickbot group. In mid-2022, IABs started favoring Bokbot as a loader in place of BazarLoader or Trickbot. Bokbot has been used by notable threat actors, including longtime actor Tramp aka Kurva, who distributed Bokbot via malware spam (malspam) as recently as September 2023. Bokbot is also associated with Ukrainian national Vyacheslav Penchukov aka the actor Tank. Penchukov pleaded guilty in February 2024 to charges related to the distribution of Bokbot from November 2018 through February 2021 and the distribution of Zeus, a banking trojan.
Pikabot: Pikabot is a relatively new loader. First observed in February 2023, Pikabot operates as a backdoor and malware loader equipped with capabilities to extract system information, run commands and download other payloads. In May 2023, the usual malware spam campaigns that previously led to the distribution of QBot, another popular loader, switched to push instances of Pikabot. This behavior has been observed in the past but those initial observations likely were trial runs to test the performance of the loader. Then in August 2023, law enforcement announced a significant disruption action against QBot, also known as Qakbot and Pinkslipbot. As QBot was associated with the distribution of ransomware including Conti, ProLock, Egregor, REvil, MegaCortex and Black Basta, threat actors sought alternatives. We observed fresh spam campaigns in September 2023 from one source distributing Pikabot, Bokbot and Darkgate. The actor Tramp aka Kurva, TA577 likely orchestrated these campaigns. A screenshot that shows some of the detections we've written based on Pikabot's tactics, techniques and procedures (TTPs) for our Hunter threat-hunting platform can be seen here.
SystemBC: SystemBC came to light in an extensive report in August 2019 by the security vendor Proofpoint, which observed SystemBC distributed as a payload dropped by two exploit kits, RIG and Fallout. SystemBC is a type of malware known as a back-connect bot. It uses socket secure internet protocol (SOCKS5) proxies to hide malicious traffic to and from command and control (C2) infrastructure of other malware strains which helps to evade detection. In 2021, Walmart’s security team connected SystemBC’s use to the Trickbot group as well as the RaaS group Ryuk. We have observed the threat actor psevdo selling the malware since 2018. The psevdo nickname is seen in one of the videos published by law enforcement as part of Operation Endgame, but the person’s real-world ID was not revealed. On May 16, 2020, the actor expanded their presence to the XSS forum under the handle terminator and offered the product as a malware-as-a-service (MaaS) for US $350. In February 2024, we learned psevdo offered to sell source code of the SystemBC malware for US $10,000 purportedly due to financial difficulties.
SmokeLoader: In 2023, SmokeLoader was one of the top three most-used malware install services and also one of the most-downloaded types of malware. Malware install services enable actors to disseminate malware to a large target set. Threat actors who pay for installs don’t have to worry about click-through rates on malware links in spam. Consequently, a broad range of unsophisticated actors can use them to leverage information stealers (infostealers) to turn a profit. As a result, SmokeLoader was used in campaigns to distribute infostealers including Meduza and RedLine. Infostealers grab data such as login credentials from computers, fueling the IAB industry and furthering other attacks down the line, including ransomware.
Trickbot: Trickbot, which appeared in 2016, also has its roots in banking malware. Trickbot played a huge role in distributing some of the most prevalent and damaging ransomware strains in recent years: Conti, REvil, Ryuk, ProLock, Egregor and Black Basta. It grew into one of the world’s largest botnets, and it was used to distribute other malware, provide initial access and run spam and phishing campaigns. On Oct. 10, 2020, The Washington Post reported U.S. Cyber Command disrupted the Trickbot botnet. Two days later, Microsoft announced legal action against Trickbot. The actions did not eliminate the botnet but damaged it, and authorities kept exerting pressure. In February 2023, the U.S. and U.K. announced the first-ever joint cybercrime sanctions against alleged Trickbot and Conti members. That was followed up in September 2023 by sanctions against new individuals and three federal indictments charging eight Russian men and one Ukrainian man with computer crimes. This latest action added seven more Russian men to Europol’s Most Wanted list for alleged crimes related to Trickbot. Our Hunter platform contains hunt packages to find TTPs associated with both Trickbot and Conti activity.
Assessment
Operation Endgame strikes at the heart of what have been industrial malware distribution operations that over years have exacted immense financial and operational damages. Security teams constantly battle loader malware and the applications dropped, such as infostealers and ransomware. This action is a strategic and comprehensive effort to dismantle operational cores of major cybercriminal networks. However, the resilience of these underground criminal communities poses a formidable challenge. Historically, these networks have shown a remarkable ability to adapt after disruption actions and quickly reconstituted capabilities or shifted to new platforms. While the operation's removal of more than 100 servers and seizure of more than 2,000 domains represents a significant victory, the threat persists.
Our Malware Intelligence analysts have observed activities that suggest segments of this cybercriminal infrastructure may remain active and could possibly be used to restart malware distribution operations. However, we also observed several SmokeLoader C2 servers started to dispatch the “uninstall” command to bots starting May 28, 2024 — an event likely associated with the recent takedown efforts aimed at remediating infected devices. Additionally, some 16.5 million email addresses and 13.5 million unique passwords that were stolen by these malware programs have now been loaded into Have I Been Pwned, the data breach notification service. This is an important facet, as it means users who are registered with that service will get notified if their email has appeared in the malware data.
Despite these successes and a marked decrease in download and execute events tracked by our Malware Intelligence systems, the continuous detection of activities associated with SmokeLoader and SystemBC malware suggests some botnets might have escaped the more extensive takedowns. Looking ahead, it is crucial to recognize that while some key botnets have been disrupted, other botnets continue to operate. Malware distribution is a critical component of cybercrime-as-a-service, and the takedown of popular distribution mechanisms means that alternative services could start filling the demand gaps. This situation also creates opportunities for other malware families to enter the marketplace. While Operation Endgame has achieved substantial success, the ongoing battle remains and will require a sustained, advanced and collaborative approach. The cybercriminal community's rapid adaptability presents a perpetual challenge, necessitating increasingly sophisticated and proactive measures.
