Major malware droppers disrupted, four suspects arrested – Europol

Operation Endgame, which Europol dubbed the largest anti-botnet operation, has resulted in multiple arrests, the shutdown of hundreds of servers, and the seizure of thousands of domains. Key ransomware-deploying platforms have been disrupted, the authorities believe.

Europol, together with international partners, targeted so-called malware droppers, malicious software designed to install malware, such as ransomware, onto a target system. Key malware-distributing platforms: IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, and Trickbot were disrupted.

According to Europol, malware whose infrastructure was taken down facilitated ransomware attacks and other malware-deploying attacks. Authorities claim the operation is “the largest ever operation against botnets, which play a major role in the deployment of ransomware.”

The coordinated effort resulted in four arrests, with one suspect detained in Armenia and three in Ukraine. Authorities searched another 16 locations in several countries across Europe and Western Asia. Europol boasted that authorities took down over 100 servers and seized over 2,000 domains.

The operation has also revealed how profitable facilitating malware is. According to Europol, renting out criminal infrastructure sites to deploy ransomware earned one of the main suspects at least €69 million ($74 million) in crypto.

“The suspect’s transactions are constantly being monitored, and legal permission to seize these assets upon future actions has already been obtained,” Europol said.

Threat actors employ malware droppers in the first stage of attack when they’re trying to bypass security measures and deploy additional harmful programs, such as viruses, ransomware, or spyware. While droppers themselves are rarely harmful, they’re essential to facilitate cybercrime.

Europol claims that SystemBC was utilized to facilitate anonymous communication between an infected system and command-and-control servers. Bumblebee, distributed via phishing campaigns or compromised websites, was designed to enable the delivery and execution of further payloads on compromised systems.

Meanwhile, SmokeLoader was primarily used as a downloader to install additional malicious software onto the systems it infects. IcedID, initially categorized as a banking trojan, had been further developed to serve other cybercrimes in addition to the theft of financial data.

Pikabot, a trojan, was used to gain initial access to infected computers, enabling ransomware deployments, remote computer take-over, and data theft.

“All of them are now being used to deploy ransomware and are seen as the main threat in the infection chain,” Europol said.