Europol's Operation Endgame

In a recent press release by Europol, the details of the law enforcement agency's largest-ever operation against botnet infrastructure were released to the public.

The main goal of the operation was to target the infrastructure behind some of the Internet's most prolific dropper malware strains: IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, and TrickBot. This publication has covered all of these strains and provided removal guides for those infected by these malware strains.

Europol's Operation Endgame

Europol defines malware droppers as follows,

Malware droppers are a type of malicious software designed to install other malware onto a target system. They are used during the first stage of a malware attack, during which they allow criminals to bypass security measures and deploy additional harmful programs, such as viruses, ransomware, or spyware. Droppers themselves do not usually cause direct damage, but are crucial for accessing and implementing harmful software packages on the affected systems.

Droppers typically have four attack phases. The first is the infiltration phase, where they enter systems through various channels, such as email attachments and compromised websites; they can also be bundled with legitimate software.

The second phase can be termed the execution phase, where the malware installs the additional malware onto the victim's computer. The next phase is defined by the malware doing its utmost to evade detection by security software.

They may use methods like obfuscating their code, running in memory without saving to disk, or impersonating legitimate software processes. The last phase is the delivery of additional payloads like ransomware.

In practice, the malware strains mentioned above carry out operations defined above differently. SystemBC facilitated anonymous communication between an infected system and command-and-control servers.

Bumblebee, distributed mainly via phishing campaigns or compromised websites, was designed to enable the delivery and execution of further payloads on compromised systems.

SmokeLoader was primarily used as a downloader to install additional malicious software onto the systems it infects.

IcedID, initially categorized as a banking trojan, was further developed to serve other cybercrimes in addition to the theft of financial data, a staple action for any banking trojan worth the name.

Pikabot is a trojan used to get initial access to infected computers, which enables ransomware deployments, remote computer take-over, and data theft.

It should also be noted that all of them are now being used to deploy ransomware and are seen as the main threat in the infection chain due to granting initial access and simplifying the process of gaining privileged access.

Operation Endgame

Returning to Operation Endgame, officials stated,

This is the largest ever operation against botnets, which play a major role in the deployment of ransomware. The operation, initiated and led by France, Germany and the Netherlands, was also supported by Eurojust and involved Denmark, the United Kingdom and the United States. In addition, Armenia, Bulgaria, Lithuania, Portugal, Romania, Switzerland and Ukraine also supported the operation with different actions, such as arrests, interviewing suspects, searches, and seizures or takedowns of servers and domains. The operation was also supported by a number of private partners at national and international level including Bitdefender, Cryptolaemus, Sekoia, Shadowserver, Team Cymru, Prodaft, Proofpoint, NFIR, Computest, Northwave, Fox-IT, HaveIBeenPwned, Spamhaus, DIVD, abuse.ch and Zscaler.

The immediate results of the operation can be summarized as follows:

  • 4 arrests (1 in Armenia and 3 in Ukraine)
  • 16 location searches (1 in Armenia, 1 in the Netherlands, 3 in Portugal and 11 in Ukraine)
  • Over 100 servers were taken down or disrupted in Bulgaria, Canada, Germany, Lithuania, the Netherlands, Romania, Switzerland, the United Kingdom, the United States, and Ukraine
  • Over 2,000 domains under the control of law enforcement

Europol officials further noted that one of the main suspects had earned an estimated 69 million EUR in cryptocurrency by renting out criminal infrastructure sites to deploy ransomware. Law enforcement agencies have already begun legal proceedings to seize these assets.

An example of the scale of the operation was provided by Europol, with officials stating,

The command post at Europol facilitated the exchange of intelligence on seized servers, suspects and the transfer of seized data. Local command posts were also set up in Germany, the Netherlands, Portugal, the United States and Ukraine. Eurojust supported the action by setting up a coordination center at its headquarters to facilitate the judicial cooperation between all authorities involved. Eurojust also assisted with the execution of European Arrest Warrants and European Investigation Orders.

The Operation continues, and a dedicated website is being set up so that the public at large can track its developments. At the time of writing, announcements as to the identities of the suspects were still to be made.

Law enforcement officials believe that millions of devices were infected with the above malware strains, and many of the victims were not aware of the infection of their systems. The estimated financial loss these criminals have caused to companies and government institutions amounts to hundreds of millions of euros.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal