Handcuffs on keyboard showing law enforcement operation crackdown on dropper malware and botnets

International Law Enforcement Operation Cracks Down on Some of the Biggest Dropper Malware and Botnets

A Europol-headed law enforcement operation has put a serious dent in the “dropper” malware ecosystem, crippling some of the biggest players and netting multiple arrests and server seizures. The focus was on disrupting the botnets that these dropper systems rely on to function, with over 100 servers and 2,000 domains disrupted across about a dozen countries.

Europol is promising that “Operation Endgame” is not yet over. The agency has launched a website to provide updates on the law enforcement operation, and says that it is tracking suspects and planning to make more arrests in the near future.

Law enforcement operation involved eight countries, dozens of officers

The massive law enforcement operation was headquartered in Europe and involved officers from multiple agencies in Denmark, France, Germany, Portugal and the Netherlands. But it also saw participation from the United States, United Kingdom and Ukraine.

The malware dropper ecosystem is essentially a collection of services that provide initial access to target computers. The dropper itself is generally not harmful, but provides a backdoor for attackers to then load their preferred malware (most often a form of ransomware). Malware droppers rely on massive botnets of compromised devices to evade automated security screening on target networks and devices, persistently trying to push compromised emails or links to victims or attempting to guess passwords.

One of the biggest examples of a dropper, and one that was included in the law enforcement operation, is TrickBot. TrickBot was first uncovered in 2016 and sported one of the largest botnets for years, leveraging it to deliver a broad variety of services of interest to cyber criminals. It has also proven very resilient, surviving prior raids and a coordinated 2020 attack by the US Defense Department that took out a great deal of its capability.

In addition to TrickBot the law enforcement operation named IcedID, SystemBC, Pikabot, Smokeloader, and Bumblebee as other “high value targets” disrupted during the campaign. Collectively, the action is the largest ever undertaken against botnets. This included 16 location searches, most of them in Ukraine, along with three arrests there and one in Armenia. 100 servers were either seized or disrupted in about 10 different countries, along with the seizure of about 2,000 domain names the botnets were using to operate.

Disrupted botnets have shown tenacity; battle is far from over

While the law enforcement operation is not over, the botnets are far from done as well. TrickBot has already bounced back from losing more than 90% of its capacity after the prior operation in 2020. Arrests of key figures are the most important element in making these takedowns stick, and Europol authorities have named eight additional suspects and added them to its most-wanted list.

TrickBot is probably the most familiar name included in the law enforcement operation, but it also took down 911 S5, currently thought to be the biggest of the world’s botnets. The US Department of Justice arrested Chinese national YunHe Wang as the operator of 911 S5 and seized more than 20 properties from him along with sports cars and luxury watches. Wang is thought to have personally made about $99 million from operation of the botnet, which has frequently been used by ransomware gangs since 2014. During its lifespan, 911 S5 is thought to have compromised at least 19 million devices across 200 countries. The arrest of the central operator makes it much more likely that this takedown will stick; Wang faces the possibility of 65 years in prison if given the maximum sentence on all of the charges he faces.

Dropper botnets have tended to be more longevous than other cyber crime services, such as RaaS; two others that were caught in the law enforcement operation, SmokeLoader and IceID, each operated for well over a decade. All of the heads of the hydra have to be cut off, or it is relatively easy for these services to compromise a new collection of devices and get right back to business. It is not yet clear if the operation remotely disabled dropper malware already installed on any victim devices, or simply took the command-and-control servers out of commission.

Toby Lewis, Global Head of Threat Analysis at Darktrace, notes that recovery for some of the botnets could be relatively quick if the latter of those two possibilities is the case: “The authorities may have control of the infrastructure now, however, countless devices likely remain infected with dormant botnet malware. Seizing servers is just the first step – they need to act quickly to notify victims and provide clear guidance on removing malware and securing systems. Worst case scenario, attackers could regain command of a seized domain and swiftly reactivate the compromised devices that have been lying in wait. Law enforcement must remain vigilant, closely monitoring for any signs of the criminals attempting to establish new command and control servers or resurging botnet activity. If the attackers try to regain their foothold, authorities need to be ready to rapidly alert victims. Cleaning up the aftermath and preventing reinfection will require sustained effort and coordination between international partners and private industry. Transparently communicating the scope of the impact and key remediation steps will be critical to help victims recover. While this sting represents significant progress, it’s just one successful operation in the ongoing fight against cybercrime. Cybercriminals are persistent and adaptive. We must remain equally diligent and proactive.”

Droppers are far from out of business either way, but the takedown of this many major players in short order will definitely cause chaos among cyber criminals as comparable alternatives are built up. Europol seems determined to keep pace with them, calling this recent action just “Season 1” of the indefinite law enforcement campaign.

Chris Morales, Chief Information Security Officer at Netenrich, highlights the role that AI is very likely to play in detection and ongoing action against these botnets: “The recent actions taken against botnets have deep implications for the cybersecurity industry. These operations disrupt the core infrastructure of cybercrime, targeting networks of compromised devices that are often used for malicious activities, such as DDoS attacks and data theft. These takedowns are not just significant events, they are pivotal in reducing the threat landscape. By dismantling botnets, not only are immediate threats prevented, but cybercriminals’ operational capacity is also weakened. This aligns with our strategy of leveraging AI and data-driven insights for threat management, as outlined in our approach to Adaptive MDR and autonomic security operations. The emphasis on botnet dismantling underscores the criticality of proactive and adaptive security measures. Organizations can bolster their security posture by anticipating and neutralizing threats before they cause significant damage, ensuring resilience against evolving cyber threats.”

Casey Ellis, Founder and Chief Strategy Officer at Bugcrowd, adds: “The cross-country coordination was stellar, and there’s clearly a pattern of “AUKUS saber-rattling” going on here. The material impact to attackers is that they’ve just had it laid out to them, very clearly, that there’s a capable, resourced, and persistent threat in play on the defender side.”