An international coalition of police organized by the European Union’s justice and police agencies has revealed an ongoing operation against malware droppers that Europol calls the “largest ever operation” of its kind.
Called “Operation Endgame,” the ongoing initiative targets malware delivery “droppers” and “loaders,” and is an attempt to disrupt large-scale malware deployments.
Between May 27 and May 29, police arrested four people, seized more than 100 servers and took control of more than 2,000 domains. Arrests were made in Ukraine and Armenia, and servers were taken down or disrupted in Bulgaria, Canada, Germany, Lithuania, the Netherlands, Romania, Switzerland, the U.K., the U.S. and Ukraine.
The operation was led by law enforcement in France, Germany and the Netherlands, with support from Denmark, the U.K., the U.S. and the European Union’s justice cooperation agency, Eurojust.
Attackers drop malware through scam emails, websites or downloads
Droppers and loaders quietly install malware, often after a victim clicks on a scam email attachment, visits a hacked website or downloads software. Malware-as-a-service industries may grow up around providing the tools to deploy droppers, so law enforcement targeted individuals and infrastructure they identified as able to “simultaneously take down these botnets and disrupt the infrastructure used by cybercriminals.”
The malware droppers and loaders targeted by Operation Endgame include Bumblebee, IcedID, Smokeloader, and Trickbot.
SEE: Does a VPN hide your IP address?
“Many of the victims were not aware of the infection of their systems,” Europol wrote on the Operation Endgame website. “The estimated financial loss these criminals have caused to companies and government institutions amounts to hundreds of millions of euros.” One euro today is worth USD $1.08.
One suspect earned €69 million in cryptocurrency from renting out sites with which to deploy ransomware, said Europol.
Operation Endgame is ongoing, with eight people considered fugitives by the operation and added to Europe’s Most Wanted list on May 30.
“The fight against borderless cybercrime does not end here, and the FBI is committed to tackling this ever-evolving threat,” said FBI Director Christopher Wray in a press release.
How organizations can defend against malware
Much of the malware distributed by attackers related to Operation Endgame came from email attachments, compromised websites or bundled with free downloads of legitimate software. Organizations should take this law enforcement action as an opportunity to remind employees to be mindful of advertisements for free software and of email attachments from suspicious accounts. In addition, organizations can remind employees of cybersecurity best practices and how to spot signs of phishing.
“One key feature present in multiple of the disrupted botnets is the ability to automate “thread hijacking” or injecting content into legitimate email threads which have been scraped, manipulated, and then sent back to accounts which may have already participated in the conversation thread or other accounts within the company,” said Daniel Blackford, director of threat research at Proofpoint, in an email to TechRepublic.
Cybersecurity company Proofpoint contributed to Operation Endgame.
“The key message: you can’t inherently trust file attachments randomly inserted into legitimate conversation threads,” Blackford said. Instead, “When possible, confirm with your colleague directly that any transfer of files or sharing of URLs, especially to filesharing hosts, is intentional and expected.”