Endgame Operation

[Tomcat]

During a large-scale operation of law enforcement agencies, codenamed Operation Endgame, more than 100 servers were confiscated that were used by large malware loaders, including IcedID, Pikabot, Trickbot, Bumblebee, Smokeloader and SystemBC.

The operation, which lasted from May 27 to 29, 2024, consisted of 16 searches across Europe, and also led to the arrest of four people (one in Armenia and three in Ukraine). In addition, the police say that they have discovered eight fugitives from justice associated with the activity of the mentioned malware, who will now be added to the list of Europol's most wanted criminals.

The infrastructure seized by law enforcement officers was located in Europe and North America, and included more than 2,000 domains.

Police officers from Germany, the United States, the United Kingdom, France, Denmark and the Netherlands participated in Operation Endgame. In addition, operational information was provided to the authorities by experts from Bitdefender, Cryptolaemus, Sekoia, Shadowserver, Team Cymru, Prodaft, Proofpoint, NFIR, Computest, Northwave, Fox-IT, HaveIBeenPwned, Spamhaus and DIVD, who shared with law enforcement information about the botnet infrastructure and the internal workings of malware.

Recall that droppers are used to gain initial access to victims ' devices and deliver additional payloads. Their operators usually use malicious emails or hide their malware in various installers, which they promote with malicious ads or distribute in torrents.

Many of the above-mentioned droppers started out as banking Trojans, but then evolved and began to focus on providing initial access, while simplifying their work and removing" extra " malicious functions to reduce the likelihood of detection.

Once infected, droppers inject more dangerous and useful payloads, including infostilers and ransomware, into the compromised system.

According to Europol, one of the main suspects involved in the management of one of the malware, earned more than $ 74.5 million in cryptocurrency, providing its infrastructure for the deployment of ransomware. Law enforcement officers note that " the suspect's transactions are being monitored, and legal permission has already been obtained to seize these assets."

• Source: https://www.europol.europa.eu/media...gainst-botnets-hits-dropper-malware-ecosystem

 

[Tomcat]

Endgame: the hunt for the leader of the Emotet botnet turned into a detective series

Law enforcement officers decided to approach the investigation creatively.

The International Law enforcement Alliance launched a large-scale operation codenamed Endgame to catch the leader of one of the largest botnets — Emotet.

A video has appeared on the network, where operatives are called upon to provide any information about the identity of the hacker, known by the nickname "Odd". This figure has used many aliases over the years.

The video briefly describes the history of Emotet, a network of infected computers that was twice targeted by law enforcement officers.

The call for assistance comes after a series of successful operations this week in which members of hacker groups involved in distributing malware were arrested. Law enforcement officers described these achievements in previous videos.

From indirect information, it follows that the investigation already has some clues about Odd. The authorities point to the existence of data on his possible accomplices and suggest that he may be involved in other illegal operations in addition to Emotet. However, the details were not disclosed.

Despite the fact that the Emotet botnet has been operating for about ten years, almost nothing is reliably known about the real personalities behind it. ESET links it to the hacker group Mealbybug or TA542, depending on the source. But the CISA report does not include these groups.

The scale of the threat that Emotet has posed to cyberspace for years is much better documented. Starting as a regular banking Trojan, it has grown to become one of the largest botnets on the Internet, serving as a platform for spreading other malware, downloaders, and ransomware.

After the first attempt to disable Emotet in January 2021, German authorities used the botnet's infrastructure to distribute an antivirus program that removed malware from infected machines. This controversial move contradicted the policies of other countries, such as the UK.

In November of the same year, Emotet resumed its activity after a 10-month break, but with the help of the TrickBot botnet infrastructure — the situation is the opposite of when TrickBot was previously distributed through Emotet. However, it has not been possible to restore Emotet's previous scale, and all of its command servers are currently offline.

It is not yet clear how much law enforcement officers are aware of Odd's current activities. But it is known that recently such operations often use tactics of psychological pressure on cybercriminals.

At first, this affected the LockBit group — its alleged leader was harassed for a long time with mocking publications. Now it's up to Operation Endgame itself — its announcements are divided into separate episodes, like a TV series. Law enforcement officers use their own methods against hackers, such as countdowns.

According to a timer on the Endgame website, the next video with new details of the operation is expected on June 5.

 

[Tomcat]

The salary of one of the TrickBot developers has become known

Experts investigating cybercrime after the publication of information about alleged TrickBot members identified during Operation Endgame, drew attention to one of the defendants. They became a Russian Oleg Kucherov, hiding under the nickname Gabr. According to the researcher Anastasia Sentsova, his story is atypical for a Russian hacker.

Kucherov, now 51, joined TrickBot in September 2021 as a programmer. He quickly joined the team, devoting himself to improving the malware that was used during numerous ransomware attacks around the world. His skills, developed over the years in the IT sector, have made him a valuable asset for TrickBot. The activities of his previous company covered a wide range of areas, but special attention was paid to exploits and encryption, " Sentsova wrote.

She noted that an analysis of some of Kucherov's cryptocurrency accounts suggests that the amount of his salary in the first year of cooperation with TrickBot is $ 2,500 per month. And even this kind of money provided him with a fairly comfortable lifestyle. In particular, Kucherov built a good private house, and also opened an enterprise specializing in the production of meat products.

"Kucherov travels frequently, including several trips to Italy and the UAE in the period from 2021 to April 2024. There, he spent vacations and attended IT conferences, including Asia's largest conference on international security. He actively shared information about these trips on social networks, which is surprising given his involvement in cybercrime," said Sentsova.

The author also emphasized that Kucherov's digital footprints indicate his support for the actions of the Russian government and the Russian army in the military conflict on the territory of Ukraine. Sentsova also based on this ranked the developer in the category of arrogant hackers, whose behavior does not fit into the standard ideas about their personality type.

• Source: https://x.com/intel_anastasia/status/1797607936572727353

• Source: https://www.bka.de/DE/IhreSicherhei.../BekanntePersonen/Endgame/KO/Fahndung_KO.html

 

[Tomcat]

The salary of one developer TrickB0t has become known
Oleg Kucherov, who goes by the nickname Gabr, became a defendant in the investigation after the Endg@me operation, during which alleged members of TrickB0t were discovered. Kucherov joined TrickB0t in September 2021 as a programmer and has been actively improving malware used in numerous ransomware attacks around the world. His salary in the first year of cooperation with TrickB0t was about $2,500 per month.