Operation EndGame

Between 27-29 May 2024, ‘Operation EndGame’ coordinated by Europol headquarters targeted droppers such as IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot. The actions carried out by Europol included the arrest of High Value Targets, the collapse of their infrastructure and the freezing of illegally obtained revenues. As a result of this operation, a major blow was struck in the dropper world. Let’s take a detailed look at what these malware are and for what purpose they are used.

IcedID

IcedID, also known as BokBot, is a sophisticated banking trojan and remote access trojan (RAT) first discovered in 2017. It has similar characteristics to other advanced banking trojans such as Zeus, Gozi and Dridex and is commonly used to steal financial information and credentials from infected systems. IcedID often acts as a dropper for other malware, including ransomware, making it a versatile tool in the cybercrime arsenal.

Initial Access and Infection:

Distribution: IcedID is often distributed via phishing emails that contain malicious attachments such as macro-laden Microsoft Office documents, .iso files, or encrypted .zip archives. These emails are typically sent by large malspam botnets like Emotet or Cutwail.

Execution: Once the attachment is opened, IcedID installs itself on the target system. It uses various techniques to maintain persistence, including creating scheduled tasks and modifying system files​​.

Persistence and Evasion:

Stealth Techniques: IcedID waits for a system reboot before initiating its main module, ensuring it appears as a legitimate process. It uses process injection techniques to hide its activities by injecting malicious code into legitimate Windows processes such as svchost.exe​​.

Avoidance of Detection: It employs several methods to evade detection, including hooking API functions and using encrypted communication channels. It can also disable security software and adjust its strategies based on the security environment of the target system​.

Payload and Lateral Movement:

Payload Delivery: IcedID downloads and installs additional malware, such as ransomware or hacking tools like Cobalt Strike. It can execute various second-stage techniques, such as living off the land (LOTL) by using native Windows tools to gather information and move laterally through the network​​.

Network Spreading: It includes a network spreading module that queries the Lightweight Directory Access Protocol (LDAP) to find other users and attempts to brute-force passwords, further spreading the infection within an organization​​.

Data Theft:

Web Injection Attacks: IcedID uses “man-in-the-browser” web injection attacks to steal login information from major browser applications. It sets up a local proxy to intercept and redirect victims’ internet activity, tricking them into providing login credentials on fake websites that mimic legitimate banking and financial sites.

SystemBC

SystemBC is a versatile malware that acts as a proxy for other malicious activities, enabling cybercriminals to communicate securely with infected systems. Discovered in 2019, SystemBC has been widely used in various cybercrime campaigns, often in conjunction with other malware such as ransomware, trojans, and exploit kits.

Proxy and Communication:

SOCKS5 Proxy: SystemBC primarily functions as a SOCKS5 proxy, which allows it to redirect network traffic from infected machines to command-and-control (C2) servers. This proxy capability helps in hiding the malicious traffic and bypassing network security controls.

Secure Communication: It can establish secure communication channels, often using encryption, to evade detection by network monitoring tools. This capability is crucial for maintaining persistent connections between the attackers and the compromised systems.

Infection and Distribution:

Distribution Methods: SystemBC is typically distributed through phishing campaigns and exploit kits. It is often used in tandem with other malware families like TrickBot, Qbot, and Cobalt Strike, enhancing its versatility in cyber attacks.

Execution: Once installed, SystemBC establishes itself as a persistent threat by creating scheduled tasks or modifying system settings to ensure it runs on system reboot .

Evasion Techniques:

Stealth Operations: SystemBC is designed to operate stealthily, avoiding detection by antivirus software and network defenses. It achieves this through various evasion techniques, such as code obfuscation and encrypted communication.

Payload Delivery: The malware can download and execute additional payloads, facilitating further exploitation of the compromised system. This feature makes it a valuable tool for attackers to deploy secondary malware such as ransomware.

Advanced Capabilities:

Modular Design: SystemBC’s modular architecture allows it to be easily updated and extended with new features, making it adaptable to different attack scenarios. This flexibility is a significant factor in its widespread use in the cybercrime ecosystem.

Integration with Other Tools: SystemBC is often used in conjunction with Cobalt Strike, a legitimate penetration testing tool repurposed by cybercriminals. This combination enhances the attackers’ ability to conduct lateral movement, data exfiltration, and further system compromise .

Pikabot 

Pikabot is a sophisticated trojan designed for initial access and credential theft, commonly used in various cybercrime operations. It often facilitates the deployment of other malicious software such as ransomware, making it a versatile and dangerous tool in the cybercriminal toolkit .

Initial Access and Infection:

Distribution Methods: Pikabot is typically distributed through phishing campaigns and malicious attachments. It often uses spear-phishing emails containing malicious links or attachments to trick users into downloading and executing the malware.

Execution: Once executed, Pikabot installs itself on the target system, establishing persistence by creating scheduled tasks or modifying system registry settings. This ensures it runs every time the system reboots.

Persistence and Evasion:

Stealth Techniques: Pikabot uses various techniques to avoid detection, including code obfuscation and anti-analysis mechanisms. It can detect the presence of virtual environments and sandboxing tools, which are often used by security researchers to analyze malware

Evasion Methods: Pikabot employs sophisticated evasion methods such as API hooking, encryption of its communications, and using legitimate Windows processes to hide its activities. This makes it difficult for antivirus and other security solutions to detect and mitigate its presence.

Payload and Capabilities:

Credential Theft: Pikabot is equipped with capabilities to steal credentials from web browsers and other applications. It can capture login information, including usernames and passwords, and send them back to its command-and-control (C2) servers.

Network Communication: Pikabot uses encrypted channels to communicate with its C2 servers, ensuring that its traffic is difficult to intercept and analyze. It can also act as a downloader, retrieving and executing additional payloads from the C2 servers.

Integration with Other Malware:

Secondary Payload Delivery: Pikabot often serves as an initial access vector for other malware, such as ransomware and other trojans. It downloads and executes these secondary payloads, facilitating further exploitation of the compromised system.

Connections with Other Malware: Research has shown that Pikabot is sometimes used in conjunction with other malware families, such as Matanbuchus, to enhance its capabilities and increase the overall impact of the attack.

Smokeloader 

Smokeloader is a versatile and persistent malware downloader primarily used to distribute various types of malicious software, such as trojans, ransomware, and information stealers. It has been active for several years and continues to evolve, employing sophisticated techniques to avoid detection and maintain persistence on infected systems.

Infection and Distribution:

Distribution Methods: Smokeloader is typically distributed through exploit kits, phishing campaigns, and malicious advertisements. Exploit kits such as RIG and RigEK are commonly used to deliver Smokeloader to unsuspecting victims by exploiting vulnerabilities in software or web browsers.

Payload Delivery: Once installed, Smokeloader acts as a downloader, retrieving and installing additional malicious payloads from its command-and-control (C2) servers. These payloads can include a wide variety of malware, such as banking trojans, ransomware, and credential stealers.

Persistence and Evasion:

Stealth Techniques: Smokeloader employs various evasion techniques to avoid detection by security solutions. These techniques include code obfuscation, process injection, and the use of encrypted communications to hide its activities from network monitoring tools.

Persistence Mechanisms: Smokeloader ensures it remains on the infected system by creating scheduled tasks or modifying system registry settings. This allows it to run every time the system is rebooted, maintaining its presence and capability to download new payloads.

Capabilities and Functionalities:

Modular Architecture: Smokeloader’s modular design allows it to be easily updated and extended with new features, making it adaptable to different attack scenarios and increasing its longevity in the cybercrime ecosystem.

C2 Communication: Smokeloader communicates with its C2 servers using encrypted channels, ensuring that its traffic is difficult to intercept and analyze. This secure communication allows it to receive commands, download additional payloads, and exfiltrate stolen data.

Impact and Usage:

Malware Distribution: Smokeloader is often used to distribute other high-profile malware families, including TrickBot, Emotet, and various ransomware strains. This makes it a critical component in many cybercrime campaigns.

Information Stealing: Some versions of Smokeloader have been equipped with information-stealing capabilities, allowing it to capture credentials, financial information, and other sensitive data from infected systems.

Bumblebee

Bumblebee is a relatively new and evolving piece of malware primarily used by cybercriminals for initial access and deployment of additional payloads. It has been associated with sophisticated cybercrime operations, often acting as a precursor to ransomware attacks and other malicious activities.

Infection and Distribution:

Distribution Methods: Bumblebee is typically delivered through phishing campaigns and malicious email attachments. Attackers use social engineering techniques to trick victims into opening malicious documents or links, which then execute the malware on the target system.

Execution: Upon execution, Bumblebee establishes a foothold on the system and communicates with its command-and-control (C2) servers to receive further instructions.

Persistence and Evasion:

Stealth Techniques: Bumblebee employs several evasion tactics to avoid detection by security solutions. These include the use of obfuscated code, encrypted communications, and sophisticated techniques to detect and bypass virtual environments and sandboxes used by security researchers.

Persistence Mechanisms: Bumblebee maintains persistence on the infected system through various methods such as creating scheduled tasks, modifying registry settings, and utilizing legitimate system processes to hide its activities.

Capabilities and Functionalities:

Modular Design: Bumblebee has a modular architecture, allowing it to download and execute additional payloads based on instructions from its C2 servers. This flexibility makes it a versatile tool for attackers.

Information Stealing: Bumblebee can collect system information, capture credentials, and exfiltrate sensitive data from infected systems.

Secondary Payload Delivery: Bumblebee is often used to deploy other malware, including ransomware, banking trojans, and other malicious software. This makes it an integral part of larger cybercrime campaigns.

Impact and Usage:

Cybercrime Campaigns: Bumblebee has been linked to various cybercrime groups and campaigns, including those involving ransomware attacks. It acts as a delivery mechanism for more destructive malware, amplifying the overall impact of the attack.

Sophisticated Operations: The malware’s use of advanced evasion techniques and modular capabilities indicates that it is part of well-coordinated and sophisticated cybercriminal operations .

Trickbot 

Trickbot is a notorious banking trojan that has evolved into a highly versatile and modular malware framework used for a variety of malicious activities. Initially focused on stealing banking credentials, Trickbot has grown to include modules for credential harvesting, reconnaissance, and payload delivery, making it a significant threat in the cybercrime landscape.

Infection and Distribution:

Distribution Methods: Trickbot is often distributed through phishing emails, malicious attachments, and other malware such as Emotet. These initial infection vectors allow Trickbot to establish a foothold on victim systems before deploying its various modules.

Payload Delivery: Once installed, Trickbot can download and execute additional payloads from its command-and-control (C2) servers. These payloads can include other malware, such as ransomware (e.g., Ryuk) and additional trojans.

Persistence and Evasion:

Stealth Techniques: Trickbot employs various evasion tactics to avoid detection by security solutions. These include code obfuscation, the use of encrypted communications for C2, and techniques to avoid sandbox analysis.

Persistence Mechanisms: Trickbot ensures its persistence on infected systems by creating scheduled tasks, modifying registry keys, and using other techniques to maintain its presence even after system reboots.

Capabilities and Functionalities:

Banking Credential Theft: Trickbot was originally designed to steal banking credentials by injecting malicious code into web browsers. This allows it to capture login details and other sensitive information when victims access online banking services.

Modular Design: Trickbot’s modular architecture enables it to perform a wide range of functions. Modules can be downloaded on-demand to extend its capabilities, such as network reconnaissance, email harvesting, and spreading to other systems within a network.

Credential Harvesting: In addition to banking credentials, Trickbot can harvest a variety of other credentials, including email accounts, web browsing data, and system information. This information is used to further infiltrate and exploit victim networks.

Ransomware Deployment: Trickbot often serves as a precursor to ransomware attacks, such as those involving Ryuk. It lays the groundwork by disabling security measures and spreading laterally within networks, making subsequent ransomware deployments more effective.

Impact and Usage:

Cybercrime Campaigns: Trickbot is a significant tool in the arsenal of cybercriminal groups. It has been used in large-scale cybercrime campaigns, often in conjunction with other malware like Emotet and Ryuk, to maximize the impact of attacks.

Data Exfiltration: Trickbot’s ability to steal and exfiltrate a wide range of data makes it a valuable asset for cybercriminals looking to monetize stolen information or leverage it for further attacks.

After all these definitions, let’s focus on the latest developments in Operation Endgame. The Frankfurt am Main Public Prosecutor’s Office, the Central Office for Combating Cybercrime (ZIT) and the Federal Criminal Police Office have made public the identities of the people behind these droppers. ZIT and the Federal Criminal Police Office have issued arrest warrants for these individuals and asked for the public’s help. You can find their information below.

GRU­BER, Ai­rat Rus­te­mo­vich

Airat Rustemovich GRUBER is wanted on suspicion of computer sabotage and other criminal offenses in a particularly serious case.

Airat Rustemovich GRUBER is suspected of a significant contribution to the realization of global cyberattacks as the administrator of a botnet of the “Smokeloader” malware. In particular, the wanted person is suspected of illegally gaining access to several hundred thousand victim systems. He likely used this access and control over the infected systems to spy on data and download other malware from third parties in exchange for payment. The downloaded malware included information thieves that read access data and other sensitive information and transmit it to the perpetrators, and ransomware used to encrypt victim systems and then blackmail them.

https://www.bka.de/DE/IhreSicherheit/Fahndungen/Personen/BekanntePersonen/Endgame/GA/Fahndung_GA.html?nn=230514

KU­CHE­ROV, Oleg Vya­ches­la­vo­vich

https://www.bka.de/DE/IhreSicherheit/Fahndungen/Personen/BekanntePersonen/Endgame/KO/Fahndung_KO.html?nn=230514

PO­LY­AK, Ser­gey Va­le­rie­vich

Sergey Valerievich POLYAK is suspected of having made a significant contribution to the execution of global cyberattacks as a member of the group behind the Trickbot malware. In particular, it is suspected that the wanted person searched for new potential victims for the group under the pseudonym cypher and investigated opportunities for targeted attacks. As an accomplice, the wanted person thus supported the ongoing use and further development of malware in order to infiltrate foreign computer systems and steal data.

https://www.bka.de/DE/IhreSicherheit/Fahndungen/Personen/BekanntePersonen/Endgame/PS/Fahndung_PS.html?nn=230514

CHE­RE­PA­NOV, An­drei An­dreye­vich