Police Detains Smokeloader Malware Customers, Seizes Servers
Summary:
In May of last year, Global law enforcement carried out Operation Endgame, a historic, multinational operation that targeted several malware-as-a-service (MaaS) platforms including: IcedID, Smokeloader, Pikabot, and Bumblebee. The operation carried out by the FBI, Europol, and Eurojust took down over 100 servers and arrested several key operators.
In a follow-up operation, Europol has reportedly detained several customers of the Smokeloader botnet. By working with impacted victims, law enforcement was able to track down a Smokeloader user who goes by “Superstar”. Through this arrest, search, and interrogation, authorities were able to seize several more Smokeloader servers and arrest additional customers.
Security Officer Comments:
Smokeloader is a modular malware loader that is often used to deploy ransomware, information stealers, cryptominers, and other malicious payloads. It is typically initially installed through malicious phishing emails, but may also target RDP/VPN and known vulnerabilities like ProxyShell and Log4j. Smokeloader features several functions to evade detection including hijacking windows APIs, detecting virtual machines, killing AV processes, and rapidly changing IP addresses to evade takedowns.
In a recent campaign last December, the malware heavily targeted Taiwan, specifically healthcare, IT, and manufacturing sectors via phishing. While this recent campaign targeted Taiwan, attacks using Smokeloader spread globally impacting various sectors and industries.
Suggested Corrections:
Europol has launched a dedicated website to share updates on the investigation and encourages anyone with information to contact them. Operation Endgame, which initially targeted major malware loader operations, has also led to sanctions against individuals involved in cyberattacks and cryptocurrency exchanges used for money laundering.
Link(s):
https://www.europol.europa.eu/media...ions-and-interrogations-well-server-takedowns
In May of last year, Global law enforcement carried out Operation Endgame, a historic, multinational operation that targeted several malware-as-a-service (MaaS) platforms including: IcedID, Smokeloader, Pikabot, and Bumblebee. The operation carried out by the FBI, Europol, and Eurojust took down over 100 servers and arrested several key operators.
In a follow-up operation, Europol has reportedly detained several customers of the Smokeloader botnet. By working with impacted victims, law enforcement was able to track down a Smokeloader user who goes by “Superstar”. Through this arrest, search, and interrogation, authorities were able to seize several more Smokeloader servers and arrest additional customers.
Security Officer Comments:
Smokeloader is a modular malware loader that is often used to deploy ransomware, information stealers, cryptominers, and other malicious payloads. It is typically initially installed through malicious phishing emails, but may also target RDP/VPN and known vulnerabilities like ProxyShell and Log4j. Smokeloader features several functions to evade detection including hijacking windows APIs, detecting virtual machines, killing AV processes, and rapidly changing IP addresses to evade takedowns.
In a recent campaign last December, the malware heavily targeted Taiwan, specifically healthcare, IT, and manufacturing sectors via phishing. While this recent campaign targeted Taiwan, attacks using Smokeloader spread globally impacting various sectors and industries.
Suggested Corrections:
Europol has launched a dedicated website to share updates on the investigation and encourages anyone with information to contact them. Operation Endgame, which initially targeted major malware loader operations, has also led to sanctions against individuals involved in cyberattacks and cryptocurrency exchanges used for money laundering.
Link(s):
https://www.europol.europa.eu/media...ions-and-interrogations-well-server-takedowns