Law enforcement agencies in the United States and Europe today announced Operation Endgame, a coordinated action against some of the most popular cybercrime platforms for delivering ransomware and data-stealing malware. Called “the largest operation ever against botnets,” the international effort is being called the first salvo in an ongoing campaign to target advanced “droppers” or “uploaders” of malware. IcedID, The Smokeloader again Trickbot.
A frame from one of three animated videos released today about Operation Endgame.
Operation Endgame targeted the cybercrime ecosystem that supported drop/loaders, terms used to describe small, customized programs designed to covertly install malware on a target system. Droppers are often used in the early stages of a breach, and allow hackers to bypass security measures and release additional malicious programs, including viruses, ransomware, or spyware.
Droppers like IcedID are often sent via email attachments, hacked websites, or bundled with legitimate software. For example, hackers have long used paid ads on Google to trick people into installing malware disguised as popular free software, such as Microsoft Teams, Adobe Reader and Discord. In those cases, the dropper is a hidden component bundled with legitimate software that silently loads the malware onto the user’s system.
Droppers remain a critical, entrenched component of nearly every major cybercrime enterprise to the point that the most popular have become full-fledged cybercrime facilities. By targeting the people who develop and maintain dropper services and the supporting infrastructure, authorities hope to disrupt many cybercriminal activities simultaneously.
According to a statement from the European police union Europol, between May 27 and May 29, 2024 authorities arrested four suspects (one in Armenia and three in Ukraine), and disrupted or took down more than 100 Internet servers in Bulgaria, Canada, Germany, Lithuania, the Netherlands, Romania, Switzerland, the United Kingdom, United States and Ukraine. Authorities say they have also seized more than 2,000 domain names that support the online dropper infrastructure.
In addition, Europol released information on eight fugitives suspected of involvement in dropper services and wanted by Germany; their names and photos were added to Europol’s “Most Wanted” list on 30 May 2024.
A “wanted” poster featuring the names and photos of eight suspects wanted by Germany and now on Europol’s “Most Wanted” list.
“It has been found through the investigation so far that one of the main suspects received at least EUR 69 million in cryptocurrency by hiring the sites of the criminal infrastructure to release the ransomware,” Europol wrote. “The actions of the accused are always closely monitored and the legal permission to take these goods in the future has been obtained.”
There have been many such coordinated efforts to root out malware in the past, however often the large amount of communication required between law enforcement agencies and the cyber security firms involved is not sustained after the initial disruption and/or arrest.
But a new website built to detail today’s action – operation-endgame.com – makes this time different, and that more takedowns and arrests are coming. “Operation Endgame doesn’t end today,” the site promises. “New acts will be announced on this website.”
A message on operation-endgame.com promises more law enforcement and disruptive actions.
Perhaps because of the realization that many of today’s top criminals live in countries beyond the reach of international law, operations such as Operation Endgame seem to focus more on mind games – that is, to crack down on criminals.
Writing in this month’s magazine It has strings, Matt Burgess makes the case for Western law enforcement officials to turn to psychological measures as an additional way to slow down Russian criminals and get to the heart of the cybercrime ecosystem.
“These nascent psyops include efforts to break the limited trust hackers have with each other, drive a thin line between weak hacker egos, and send personal messages that show they’re being watched,” Burgess wrote.
While the authorities in the US and the UK announced in February 2024 that they would go in and seize the infrastructure used by famous people. LockBit ransomware gang, they borrowed the existing design of LockBit’s victim-shaming website to link instead to press releases about the takedown, and installed a countdown timer that ended up being replaced by the identity of the alleged leader of LockBit.
The feds used an existing design on LockBit’s website to shame victims into including press releases and free decryption tools.
The Operation Endgame website also includes a timer, which serves to tease the release of several animated videos that mimic the same kind of flashy, short commercials that hackers often produce to advertise their services online. At least two of the videos include a large amount of text written in Russian.
The combined takedown comes after another enforcement action this week against what the FBI director called “possibly the largest botnet in the world.” On Wednesday US Department of Justice (DOJ) announced the arrest of YunHe Wangaccused of being a user of a ten-year-old online anonymity service 911 S5. The government also seized 911 S5 domains and Internet infrastructure, allegedly turning computers using various “free VPN” products into Internet relays that facilitate billions of dollars in online fraud and cybercrime.
Source link