Global law enforcement announced Operation Endgame, a wide-scale effort to disrupt malware and botnet infrastructure and identify alleged individuals involved. Europol described it as the largest-ever botnet takedown, disrupting infrastructure for IcedID, SystemBC, Pikabot, SmokeLoader, Bumblebee, and Trickbot. #IcedID #SystemBC #Pikabot #SmokeLoader #Bumblebee #Trickbot
Keypoints
- Operation Endgame involved law enforcement and private partners, targeting botnet infrastructure across 10 countries with four arrests and takedowns of over 100 servers.
- More than 2,000 domains were brought under law enforcement control as part of the disruption.
- The operation disrupted six malware families: SmokeLoader, SystemBC, Pikabot, Bumblebee, IcedID, and Trickbot.
- SmokeLoader is a long-running downloader that installs follow-on payloads and has been linked to campaigns since 2015, including use by various initial access actors and recent activity in 2024.
- SystemBC is a SOCKS5 proxy/backdoor used after initial compromise, observed in campaigns linked to multiple threat actors and dropped after Emotet infections in some cases.
- IcedID is a banking trojan loader that has served as a first-stage payload for ransomware families and was widely used by many actors since 2017, with activity tapering after 2023.
- Pikabot and Bumblebee are downloaders/loaders that deliver follow-on payloads; Pikabot has been tied to TA577, while Bumblebee has been used by several actors and reemerged in 2024.
- Proofpoint researchers contributed technical expertise to map botnet infrastructure, enabling law enforcement to identify servers and remediated threats.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – Used to deliver SmokeLoader via a macro-enabled document; ‘Example macro-enabled document delivering SmokeLoader in a May 2024 campaign.’
- [T1059.005] Visual Basic – Macro-enabled document used to execute code and deliver SmokeLoader; ‘Example macro-enabled document delivering SmokeLoader in a May 2024 campaign.’
- [T1105] Ingress Tool Transfer – The downloader’s main function is to install follow-on payloads; ‘main function is to install follow-on payloads.’
- [T1090] Proxy – SystemBC is a proxy malware and backdoor leveraging SOCKS5; ‘SystemBC is a proxy malware and backdoor leveraging SOCKS5.’
- [T1071.001] Web Protocols – The Loader contacts a Loader C2 server to download the DLL Loader and deliver the IcedID Bot; ‘contacts a Loader C2 server, downloads the standard DLL Loader, which then delivers the standard IcedID Bot.’
Indicators of Compromise
- [Domain] context – 2,000+ domains under control by law enforcement; names not disclosed, and other domains not disclosed