Law enforcement operation takes aim at an often-overlooked cybercrime linchpin

An international cast of law enforcement agencies has struck a blow at a cybercrime linchpin that’s as obscure as it is instrumental in the mass-infection of devices: so-called droppers, the sneaky software that’s used to install ransomware, spyware, and all manner of other malware.

Europol said Wednesday it made four arrests, took down 100 servers, and seized 2,000 domain names that were facilitating six of the best-known droppers. Officials also added eight fugitives linked to the enterprises to Europe’s Most Wanted list. The droppers named by Europol are IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, and Trickbot.

Droppers provide two specialized functions. First, they use encryption, code-obfuscation, and similar techniques to cloak malicious code inside a packer or other form of container. These containers are then put into email attachments, malicious websites, or alongside legitimate software available through malicious web ads. Second, the malware droppers serve as specialized botnets that facilitate the installation of additional malware.

In years past, droppers were unique to many different malware families. As evasion techniques have gotten harder and the cybercrime landscape has grown evermore specialized, droppers have become stand-alone services of their own. A single unnamed suspect in the investigation has pocketed nearly $75 million in cryptocurrency, Europol said. Investigators are now actively seeking ways to seize the digital funds.

By disrupting a half-dozen of the most active droppers, law enforcement officials hope to sever the infrastructures that are crucial for the larger malware and botnet ecosystem to thrive. Operation Endgame, the name Europol gave to the takedown effort, is the largest operation to ever target botnets, the officials said.

“Operation Endgame does not end today,” the officials said. “New actions will be announced on the website Operation Endgame.”

Under the operation, the officials have:

• Arrested four individuals (three in Ukraine and one in Armenia)
• Served 16 location searches (11 in Ukraine, three in Portugal, one in Armenia, and one in the Netherlands)
• Taken down or disrupted more than 100 servers located in Bulgaria, Canada, Germany, Lithuania, the Netherlands, Romania, Switzerland, the UK, the US, and Ukraine
• Seized more than 2,000 domains

Countries participating in Operation Endgame include Denmark, France, Germany, the Netherlands, the UK, and the US. Private partners included Bitdefender, Cryptolaemus, Sekoia, Shadowserver, Team Cymru, Prodaft, Proofpoint, NFIR, Computest, Northwave, Fox-IT, HaveIBeenPwned, Spamhaus, DIVD, abuse.ch, and Zscaler.

Wednesday’s Europol notice stated:

Europol facilitated the information exchange and provided analytical, crypto-tracing and forensic support to the investigation. To support the coordination of the operation, Europol organized more than 50 coordination calls with all the countries as well as an operational sprint at its headquarters.

Over 20 law enforcement officers from Denmark, France, Germany and the United States supported the coordination of the operational actions from the command post at Europol and hundreds of other officers from the different countries involved in the actions. In addition, a virtual command post allowed real-time coordination between the Armenian, French, Portuguese and Ukrainian officers deployed on the spot during the field activities.

The command post at Europol facilitated the exchange of intelligence on seized servers, suspects and the transfer of seized data. Local command posts were also set up in Germany, the Netherlands, Portugal, the United States and Ukraine. Eurojust supported the action by setting up a coordination center at its headquarters to facilitate the judicial cooperation between all authorities involved. Eurojust also assisted with the execution of European Arrest Warrants and European Investigation Orders.

The officials also added the names, pictures, and descriptions of eight men to Europol’s most wanted list:

The officials further announced operation-endgame.com, a site dedicated to the continued crackdown on droppers. It adopts much of the same swagger and smack talk ransomware name-and-shame sites direct at victims and targets. FBI officials similarly trolled members of the LockBit ransomware syndicate in February when they set up a site following a separate disruption operation.

“International law enforcement and partners have joined forces,” Operation Endgame investigators wrote. “We have been investigating you and your criminal undertakings for a long time and we will not stop here.”