news

Operation Endgame | Botnets disrupted after international action

by The Spamhaus TeamMay 30, 20246 minutes reading time

Malware

Botnet C&C

Cybercrime

In this News Article

Introduction
A consistent tactic: stolen credentials
Operation Endgame: victims' account remediation
The takedown tale
IcedID, Smokeloader, SystemBC, Pikabot and Bumblebee - what are they?
Press releases & announcements

Jump to

Introduction

Continuing a string of successful botnet takedowns, on Thursday, May 30th 2024, a coalition of international law enforcement agencies announced "Operation Endgame". This effort targeted multiple botnets such as IcedID, Smokeloader, SystemBC, Pikabot and Bumblebee, as well as some of the operators of these botnets. These botnets played a key part in enabling ransomware, thereby causing damages to society estimated to be over a hundred million euros. This coordinated effort is the largest operation ever against botnets involved with ransomware.

A consistent tactic: stolen credentials

A significant part of operating cybercrime infrastructure like these botnets relies on the use of stolen credentials. Threat actors acquire these credentials by operating remote access tools (RATs) and infostealers; they then use these newly-compromised accounts to further spread malware, or to gain initial access into networks and organizations. These accounts have been shared with Spamhaus, who will help with remediating them.

Operation Endgame: victims' account remediation

Before getting into the details and the takedown tale, here's an outline of what assistance we will be providing to support with remediation efforts.

The botnet operators in question relied on compromised accounts to target victims and spread malicious emails. If a receiver interacted with one of these emails, it is highly likely that their device was infected. As a result, they probably became part of the targeted botnets.
The authorities have provided Spamhaus with data pertaining to these compromised accounts, to assist with the remediation effort.
Spamhaus is notifying email service providers, hosting companies, and other parties responsible for these accounts.
We request that organizations contacted by Spamhaus take action as quickly as possible to secure the accounts in question via a simple password reset, as these accounts are still circulating!

For more information see our Operation Endgame remediation page.

The takedown tale

After the previous dismantling of botnets Emotet (2021) and Qakbot (2023), international law enforcement again joined forces in the largest international operation to date, consisting of seven investigations into various suspects and botnets. The criminal organizations behind the botnets had been spreading malware for years via hundreds of millions of phishing emails, thus forming an extensive and complex network to abuse victims' computer systems. This relates to the IcedID botnets, Smokeloader botnets, SystemBC botnets, Pikabot, Trickbot and the remnants of the Bumblebee botnet. It is estimated that several million infected computers have been identified worldwide in the past year.

Of special note is the connection to ransomware - todays most harmful and dangerous type of cybercrime. The botnets targeted in Operation Endgame all played a critical part in enabling ransomware to be deployed at organisations and governments worldwide. Besides that, they also play a key role in supporting various kinds of financial fraud in addition to other types of cybercrime.

Now, with thanks to Operation Endgame, more than 100 computer servers worldwide have been taken offline, and more than 2,000 domain names have been taken over. Of the various botnets, more than ten thousand infected computer systems could be disinfected by uninstalling the malware.

The investigations revealed that one of the main suspects has earned 69 million euros in cryptocurrency from his criminal activities and this will be seized as soon as possible. The joint actions were carried out by authorities in the Netherlands, Germany, France, Denmark, United States, and the United Kingdom with support from Europol and Eurojust. In addition, with the cooperation of the aforementioned authorities, there have also been police actions in Ukraine, Switzerland, Armenia, Portugal, Romania, Canada, Lithuania and Bulgaria for the arrest or interrogation of suspects, searches, or the seizure and downing of servers.

In an effort to keep the general public up to date on what's being done to combat these types of cybercrime, and to also further shine light on some of the threat actors who have not been arrested, the coalition has created a special website for this operation: Operation Endgame.

IcedID, Smokeloader, SystemBC, Pikabot and Bumblebee - what are they?

These are the botnets targeted by Endgame and have been around for some time. They have all prominently featured in our malware statistics and Botnet Threat Updates.

IcedID was first observed in 2017, initially recognized as a banking malware, it also acts as a loader for other malware, including ransomware. With three distinct variants now identified, and hundreds of active campaigns over the last few years, it is no surprise why this was a target of Operation Endgame.

Smokeloader is a generic backdoor with a range of capabilities that depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity, like pay-per-install (PPI) campaigns.

SystemBC is a malware that was first seen in 2019 that turns infected computers into SOCKS5 proxies, and can infect Linux and Windows systems alike. It is a versatile bit of kit that can be used differently depending on the threat actor's goals - be that to forward traffic, or to download and execute additional payloads. Over the past 30 days, malware samples observed by our partner, abuse.ch, relating to SystemBC have increased by +700% at the time of publishing.

Pikabot was the spotlight feature in our most recent Botnet Threat Update as a Top 10 malware associated with botnet command and controllers (C&Cs). It comprises a range of features, including downloader/installer, a loader, and a core backdoor component, many of which play straight into the hands of operators involved with initial access to later deploy ransomware.

Bumblebee was first discovered in September 2021. It is a loader capable of downloading and executing additional payloads, such as CobaltStrike, Silver, and Meterpeter, and has been acting as the initial access point for ransomware deployments.

The disruption of theses malware families and their operators cannot have come soon enough. We are deeply grateful to all those involved, with a special hat-tip to our trusted partner, abuse.ch who also supported these efforts; we look forward to supporting the ongoing remediation efforts.