Global law enforcement recently announced Operation Endgame, a widespread effort to disrupt malware and botnet infrastructure and identify the alleged individuals associated with the activity. In a press release, Europol called it the “largest ever operation against botnets, which play a major role in the deployment of ransomware.”
In collaboration with private sector partners, including Proofpoint, the efforts disrupted the infrastructure of IcedID, SystemBC, Pikabot, SmokeLoader, Bumblebee, and Trickbot. Per Europol, in conjunction with the malware disruption, the coordinated action led to four arrests, over 100 servers taken down across 10 countries, over 2,000 domains brought under the control of law enforcement, and illegal assets frozen.
Malware Details
SmokeLoader
SmokeLoader is a downloader that first appeared in 2011 and is popular among threat actors. It is a modular malware with various stealer and remote access capabilities, and its main function is to install follow-on payloads. Proofpoint observed SmokeLoader in hundreds of campaigns since 2015, and it was historically used by major initial access brokers including briefly by TA577 and TA511 in 2020. Many SmokeLoader campaigns are not attributed to tracked threat actors, as the malware is broadly available for purchase on various forums. Its author claims to only sell to Russian-speaking users.
Proofpoint has observed approximately a dozen SmokeLoader campaigns in 2024, with the malware leading to the installation of Rhadamanthys, Amadey, and various ransomware. Many SmokeLoader campaigns from 2023 through 2024 are attributed to an actor known as UAC-0006 that targets Ukrainian organizations with phishing lures related to “accounts” or “payments.”
SystemBC
SystemBC is a proxy malware and backdoor leveraging SOCKS5 first identified by Proofpoint in 2019. Initially observed being delivered by exploit kits, it eventually became a popular malware used in ransomware-as-a-service operations. Proofpoint rarely observes SystemBC in email threat data, as it is typically deployed post-compromise. However, our researchers observed it used in a handful of campaigns from TA577 and TA544, as well as dropped by TA542 following Emotet infections.
IcedID
IcedID is a malware originally classified as a banking trojan and first detected by Proofpoint in 2017. It also acted as a loader for other malware, including ransomware. The well-known IcedID version consists of an initial loader which contacts a Loader C2 server, downloads the standard DLL Loader, which then delivers the standard IcedID Bot.
Proofpoint has observed nearly 1,000 IcedID campaigns since 2017. This malware was a favored payload by numerous initial access brokers including TA511, TA551, TA578, and occasionally TA577 and TA544, as well as numerous unattributed threats It was also observed dropped by TA542, the Emotet threat actor, which was the only actor observed using the “IcedID Lite” variant Proofpoint identified in 2022. IcedID was often the first step to ransomware, with the malware being observed as a first-stage payload in campaigns leading to ransomware including Egregor, Sodinokibi, Maze, Dragon Locker, and Nokoyawa.
Proofpoint has not observed IcedID in campaign data since November 2023, after which researchers observed campaigns leveraging the new Latrodectus malware. It is likely the IcedID developers are also behind Latrodectus malware.
IcedID’s widespread use by advanced cybercriminal threats made it a formidable malware on the ecrime landscape. Its disruption is great news for defenders.
Pikabot
Pikabot is a malware that has two components, a loader and a core module, designed to execute arbitrary commands and load additional payloads. Pikabot’s main objective is to download follow-on malware. Pikabot first appeared in campaign data in March 2023 used by TA577 and has since been almost exclusively used by this actor. Pikabot became TA577’s favored payload after law enforcement announced the Qbot disruption in August 2023. Proofpoint has not observed Pikabot in email campaign data since March 2024.
TA577 is one of the most sophisticated and persistent cybercriminal threats, and the disruption to its most reliable malware distribution will likely once again force this actor to retool and redevelop its tactics.
Bumblebee
Bumblebee is a sophisticated downloader first observed in March 2022. Bumblebee’s objective is to download and execute additional payloads. Proofpoint researchers observed Bumblebee dropping payloads including Cobalt Strike, shellcode, Sliver, and Meterpreter, and assessed with high confidence the Bumblebee loader can be used to deliver follow-on ransomware. Bumblebee was used by multiple cybercriminal threat actors including initial access brokers and was a favored payload from its first appearance in March 2022 through October 2023 before disappearing, but it reemerged in February 2024.
Proofpoint has observed over 200 Bumblebee campaigns since it was first identified, with less than 10 campaigns observed so far in 2024. Researchers observed cybercriminal threat actors including TA579, TA580, TA581, TA551 as well as multiple unattributed threat clusters deliver Bumblebee from 2022 through 2024.
Its return to the landscape in February 2024 and subsequent campaigns suggested actors were returning to the malware after a brief lull. The disruption is a blow to criminals who used Bumblebee as an initial access payload.
Proofpoint’s Support
Proofpoint’s mission is to provide the best human-centric protection for our customers against advanced threats. Whenever it is possible and appropriate to do so, and as is the case with this operation, Proofpoint uses its team’s knowledge and skills to help protect a wider audience against widespread malware threats.