Europol has detained several individuals believed to be involved in a botnet operation as part of a follow-up to a major takedown last year, stemming from the larger “Operation Endgame” that dismantled major malware droppers.
Following the Operation Endgame investigation, major malware droppers including IcedID, SystemBC, Pikabot, Smokeloader, and Bumblebee were shut down last year. According to Europol, analysis of the contents of a seized database enabled it to identify customers of the SmokeLoader pay-per-install botnet, operated by an individual known as ‘Superstar’. The law enforcement agency has now made arrests, carried out house searches, and conducted arrest warrants or ‘knock and talks’.
“Superstar used his botnet to run a pay-per-install service, enabling customers to gain access to victims’ machines. Customers used the service to deploy malware for their own criminal activities,” Europol said. Investigations revealed that botnet access was purchased for a range of purposes, including keylogging, webcam access, ransomware deployment, cryptomining, and more. Law enforcement tracked down the customers as they were registered in a database seized during Operation Endgame.
The malware had infected millions of computers around the world, according to the FBI. SystemBC facilitated anonymous communication between an infected system and command-and-control servers. SmokeLoader was mainly used as a downloader to install additional malicious software onto the systems it infected. Similarly, IcedID – also known as BokBot – had been further developed to carry out a range of crimes as well as the theft of financial data.
As part of last year’s operation – the largest ever against a botnet – more than 100 servers were shut down or disrupted and over 2,000 internet domains tied to the hacking activities were seized. But while last May’s activities were focused on the high-level players who were using ransomware, for example, this latest set of raids is designed to mop up the customers of Cybercrime as a Service providers.
Law enforcement agencies in several countries were able to link online personas and their usernames to actual individuals. “When called in for questioning, several suspects chose to cooperate with the authorities by facilitating the examination of digital evidence stored on their personal devices,” Europol said. “Several suspects resold the services purchased from SmokeLoader at a markup, thus adding an additional layer of interest to the investigation.”
Europol said it’s not quite finished yet, either. The law enforcement agency is still investigating possible leads, revealing it has more suspects in the crosshairs.
