An international police coalition organized by the European Union's law enforcement and justice agencies has revealed an ongoing operation against malware launchers that Europol calls the “largest operation ever” of its kind.
The ongoing initiative, dubbed “Operation Endgame,” targets malware delivery “droppers” and “loaders” and is an attempt to disrupt large-scale malware deployments.
Between May 27 and 29, police arrested four people, confiscated more than 100 servers, and took control of more than 2,000 domains. Arrests were made in Ukraine and Armenia, and servers were taken offline or disrupted in Bulgaria, Canada, Germany, Lithuania, the Netherlands, Romania, Switzerland, the United Kingdom, the United States, and Ukraine.
The operation was led by law enforcement agencies from France, Germany and the Netherlands, with support from Denmark, the United Kingdom, the United States and the European Union's judicial cooperation agency, Eurojust.
Attackers deliver malware through fraudulent emails, websites or downloads
Droppers and loaders silently install malware, often after a victim clicks on a fraudulent email attachment, visits a hacked website, or downloads software. Malware-as-a-service industries can grow around providing tools to deploy droppers, so law enforcement targeted people and infrastructure they identified as capable of “simultaneously taking down these botnets and disrupting the infrastructure used by cybercriminals.” .
The malware downloaders and loaders targeted by Operation Endgame include Bumblebee, IcedID, Smokeloader, and Trickbot.
SEE: Does a VPN hide your IP address?
“Many of the victims were unaware of the infection of their systems,” Europol wrote on the Operation Endgame website. “The estimated financial losses that these criminals have caused to companies and government institutions amount to hundreds of millions of euros.” One euro today is worth 1.08 dollars.
A suspect earned €69 million in cryptocurrency by renting sites to deploy ransomware, Europol said.
Operation Endgame is ongoing, with eight people considered fugitives for the operation and added to Europe's most wanted list on May 30.
“The fight against borderless cybercrime does not end here, and the FBI is committed to addressing this ever-evolving threat,” FBI Director Christopher Wray said in a news release.
How organizations can defend against malware
Much of the malware distributed by Operation Endgame-related attackers came from email attachments, compromised websites, or included in free downloads of legitimate software. Organizations should use this law enforcement action as an opportunity to remind employees to be aware of free software ads and email attachments from suspicious accounts. Additionally, organizations can remind employees about cybersecurity best practices and how to spot signs of phishing.
“A key feature present in several of the disrupted botnets is the ability to automate “thread hijacking,” or injecting content into legitimate email threads that have been extracted, manipulated, and then sent back to accounts that may have already participated. in the chat thread or other accounts within the company,” Daniel Blackford, director of threat research at Proofpoint, said in an email to TechRepublic.
Cybersecurity company Proofpoint contributed to Operation Endgame.
“The key message: Attachments randomly inserted into legitimate conversation threads cannot inherently be trusted,” Blackford said. Instead, “When possible, confirm directly with your colleague that any file transfer or URL sharing, especially with file sharing hosts, is intentional and expected.”
