Europol’s Server Shutdown: Tackling IcedID, TrickBot, More Malware

Europol's Server Shutdown: Tackling IcedID, TrickBot, More Malware

Published on June 3rd, 2024

Europol spearheaded a major operation, dubbed Operation Endgame, aimed at dismantling the infrastructure supporting various malware loader operations such as IcedID, SystemBC, PikaBot, SmokeLoader, Bumblebee, and TrickBot.

Disrupting Criminal Services

Europol’s statement highlights the concerted effort to disrupt criminal services by arresting High Value Targets (HVTs), dismantling criminal infrastructures, and freezing illegal proceeds.

These malware loaders facilitated attacks involving ransomware and other malicious software.

Global Impact: Servers Dismantled And Arrests Made

Between May 27 and May 29, the operation led to the dismantling of over 100 servers worldwide and the apprehension of four individuals.

One arrest took place in Armenia, while three others occurred in Ukraine. Searches were conducted across 16 locations in Armenia, the Netherlands, Portugal, and Ukraine.

The servers were found in various countries including Bulgaria, Canada, Germany, Lithuania, the Netherlands, Romania, Switzerland, Ukraine, the United Kingdom, and the United States.

Law enforcement also confiscated more than 2,000 domains.

Alleged Financial Gain And Techniques Employed

One of the main suspects allegedly earned €69 million ($74.6 million) by leasing criminal infrastructure sites for ransomware deployment.

Investigators utilized ‘sinkholing’ techniques and other tools to access operators’ systems behind the malware, effectively blocking and dismantling the botnets.

Pursuit Of Additional Suspects

Authorities are actively seeking the arrest of seven individuals linked to a criminal organization focused on spreading the TrickBot malware.

An eighth individual is suspected of being a ringleader behind the SmokeLoader group.

Understanding Malware Loaders

Loaders, also known as droppers, are malicious software designed to gain initial access and deliver additional payloads onto compromised systems, including ransomware variants.

They typically spread through phishing campaigns, compromised sites, or bundled with popular software.

These droppers employ various tactics to evade detection, such as obfuscating their code, running in memory, or masquerading as legitimate software processes.

Europol’s Largest-Ever Operation Against Botnets

Europol characterized these takedowns as the largest-ever operation targeting botnets, involving cooperation among authorities from multiple countries including Armenia, Bulgaria, Denmark, France, Germany, Lithuania, the Netherlands, Portugal, Romania, Switzerland, Ukraine, the United Kingdom, and the United States.