Global Law Enforcement Takedown Disrupts Major Botnets

Global law enforcement recently announced Operation Endgame, a comprehensive initiative aimed at disrupting malware and botnet infrastructure and identifying the individuals allegedly involved in these illicit activities.

This widespread effort involves collaboration among multiple international agencies and cybersecurity experts, targeting the networks and systems used to perpetrate cybercrimes.Operation Endgame represents a significant step in the ongoing battle against cyber threats, focusing on dismantling the technical foundations of malware and botnets that have been used to conduct a variety of malicious activities, from data theft to ransomware attacks. By identifying and apprehending the individuals behind these operations, law enforcement aims to reduce the prevalence of such cyber threats and enhance global cybersecurity resilience.

In a press release, Europol described Operation Endgame as the "largest ever operation against botnets, which play a major role in the deployment of ransomware." This significant operation was carried out in collaboration with private sector partners, including Proofpoint, and succeeded in disrupting the infrastructure of several notorious malware and botnet families such as IcedID, SystemBC, Pikabot, SmokeLoader, Bumblebee, and Trickbot.

This extensive crackdown not only disrupted the operational capabilities of these botnets and malware but also significantly impaired the cybercriminals' ability to deploy ransomware and other malicious activities. Europol emphasized that this operation marks a critical step in enhancing global cybersecurity and demonstrates the effectiveness of international cooperation between law enforcement and the private sector in combating cyber threats.

SmokeLoader is a downloader that first appeared in 2011 and has gained popularity among threat actors due to its versatility and effectiveness. It is a modular malware with capabilities to steal information and provide remote access, primarily functioning to install follow-on payloads. Proofpoint has observed SmokeLoader in hundreds of campaigns since 2015, highlighting its persistent presence in the cyber threat landscape.

Historically, SmokeLoader has been employed by major initial access brokers, including brief usage by TA577 and TA511 in 2020. These groups leverage SmokeLoader to gain initial access to systems, which they then exploit for further malicious activities. However, many SmokeLoader campaigns are not attributed to specific tracked threat actors because the malware is widely available for purchase on various cybercriminal forums.

The author of SmokeLoader claims to sell the malware exclusively to Russian-speaking users, restricting its distribution and potentially complicating attribution efforts. This broad availability and strategic use by various threat actors underscore SmokeLoader’s significance as a persistent and adaptable threat in the cybersecurity domain.

In 2024, Proofpoint observed approximately a dozen SmokeLoader campaigns, with the malware often being used to install other malicious software such as Rhadamanthys, Amadey, and various ransomware. These campaigns demonstrate SmokeLoader’s continued utility in facilitating a range of cyberattacks by deploying different types of payloads.

From 2023 through 2024, many SmokeLoader campaigns have been attributed to a threat actor known as UAC-0006. This actor specifically targets Ukrainian organizations, employing phishing lures that are typically themed around "accounts" or "payments" to trick victims into downloading and executing the malware. These targeted phishing campaigns highlight UAC-0006's strategic focus and the persistent threat posed by SmokeLoader in delivering diverse and potentially destructive follow-on payloads.

SystemBC is a proxy malware and backdoor that utilizes the SOCKS5 protocol, first identified by Proofpoint in 2019. Initially, SystemBC was delivered through exploit kits but has since become a popular tool in ransomware-as-a-service (RaaS) operations due to its effectiveness in establishing a covert communication channel and facilitating further malicious activities.

Proofpoint rarely detects SystemBC in email threat data because it is typically deployed post-compromise, after an initial foothold has been established on the target system. However, researchers have observed its use in several campaigns by known threat actors, including TA577 and TA544. Additionally, SystemBC has been seen as a follow-on payload dropped by TA542 following infections with the Emotet malware.

SystemBC’s versatility and functionality as a proxy and backdoor make it a valuable asset for cybercriminals looking to maintain persistence and execute various stages of their attack, particularly in the context of more complex and coordinated ransomware attacks. Its deployment in high-profile campaigns underscores its role in the broader ecosystem of malware and cyber threats.

Proofpoint has observed nearly 1,000 IcedID campaigns since the malware was first detected in 2017. This malware has been a favored payload for numerous initial access brokers, including TA511, TA551, TA578, and occasionally TA577 and TA544, as well as various unattributed threats. Additionally, TA542, known for the Emotet malware, has been observed deploying IcedID. Notably, TA542 was the only actor observed using the “IcedID Lite” variant identified by Proofpoint in 2022.

IcedID is often the first step in ransomware attacks, acting as a first-stage payload that facilitates the deployment of more destructive malware. It has been observed in campaigns leading to various ransomware strains, including Egregor, Sodinokibi (also known as REvil), Maze, Dragon Locker, and Nokoyawa. This versatility and utility in multi-stage attacks highlight IcedID’s role in the broader cyber threat ecosystem, particularly in enabling high-profile and damaging ransomware operations.

Proofpoint has not observed IcedID in campaign data since November 2023. Following this period, researchers began to observe campaigns leveraging a new malware known as Latrodectus. It is likely that the developers behind IcedID are also responsible for the creation and deployment of Latrodectus, indicating a possible shift in tactics by these cybercriminal actors.IcedID's widespread use by advanced cybercriminal threats made it a formidable presence on the ecrime landscape. Its ability to serve as an initial access point for various types of ransomware and other malicious payloads significantly contributed to its reputation and impact.