101010.pl

Threat InsightToday we celebrate a major cybersecurity victory. 👏 Operation Endgame, a global law enforcement effort supported by insights from experts at Proofpoint and other industry vendors, resulted in: • The disruption of major botnets • Four arrests • Over 100 servers taken down across 10 countries • Over 2,000 domains brought under the control of law enforcement • Illegal assets frozen Proofpoint’s mission is to provide the best human-centric protection for our customers against advanced threats. Whenever possible and appropriate to do so, Proofpoint uses its team’s knowledge and skills to help protect a wider audience against widespread malware threats. For <a href="https://infosec.exchange/tags/OperationEndgame" class="mention hashtag" rel="nofollow noopener" target="_blank">#OperationEndgame</a>, Proofpoint threat researchers lent their expertise in reverse engineering malware, botnet infrastructure, and identifying patterns in how the threat actors set up their servers to help authorities understand the malware and safely remediate the bot clients.Proofpoint’s unmatched threat telemetry and researcher knowledge played a crucial role in the operation, providing key insights in identifying the new botnets that are most likely to grow and become the dominant threats affecting the most number of people around the world. More information on the takedown and Proofpoint’s involvement can be found in our blog: <a href="https://www.proofpoint.com/us/blog/threat-insight/major-botnets-disrupted-global-law-enforcement-takedown" rel="nofollow noopener" translate="no" target="_blank">https://www.proofpoint.com/us/blog/threat-insight/major-botnets-disrupted-global-law-enforcement-takedown</a>.<a href="https://infosec.exchange/tags/IcedID" class="mention hashtag" rel="nofollow noopener" target="_blank">#IcedID</a> <a href="https://infosec.exchange/tags/SystemBC" class="mention hashtag" rel="nofollow noopener" target="_blank">#SystemBC</a> <a href="https://infosec.exchange/tags/Pikabot" class="mention hashtag" rel="nofollow noopener" target="_blank">#Pikabot</a> <a href="https://infosec.exchange/tags/SmokeLoader" class="mention hashtag" rel="nofollow noopener" target="_blank">#SmokeLoader</a> <a href="https://infosec.exchange/tags/Bumblebee" class="mention hashtag" rel="nofollow noopener" target="_blank">#Bumblebee</a> <a href="https://infosec.exchange/tags/Trickbot" class="mention hashtag" rel="nofollow noopener" target="_blank">#Trickbot</a> <a href="https://infosec.exchange/tags/Europol" class="mention hashtag" rel="nofollow noopener" target="_blank">#Europol</a>

🛡 H3lium@infosec.exchange/:~# :blinking_cursor:Operation Endgame - Largest Ever Operation Against Botnets Hits Dropper Malware EcosystemDate: May 30, 2024 CVE: Not specified Vulnerability Type: Malware CWE: [[CWE-94]], [[CWE-502]] Sources: <a href="https://www.europol.europa.eu/media-press/newsroom/news/largest-ever-operation-against-botnets-hits-dropper-malware-ecosystem" rel="nofollow noopener" target="_blank">Europol News</a>, <a href="https://www.eurojust.europa.eu/news/eurojust-supports-international-operation-against-worlds-largest-ransomware-group" rel="nofollow noopener" target="_blank">Eurojust News</a>Issue SummaryEuropol, in coordination with law enforcement agencies from multiple countries, conducted the largest ever operation targeting botnets. This operation, dubbed "Operation Endgame," took place from May 27 to 29, 2024, and led to the disruption of major malware droppers including IcedID, SystemBC, Pikabot, Smokeloader, and Bumblebee. The effort resulted in four arrests and the takedown of over 100 servers worldwide. These droppers were used to facilitate ransomware and other cyber-attacks by installing additional malware onto target systems. The operation was supported by Eurojust and involved contributions from countries including France, Germany, the Netherlands, Denmark, the UK, the US, and others. Private partners also played a role in the operation, which aimed to dismantle the infrastructure supporting these malicious activities. The success of this operation marks a significant step in combating cybercrime on a global scale.Operation Endgame, coordinated by Europol, dismantled several major botnets including IcedID, SystemBC, Pikabot, Smokeloader, and Bumblebee. This international effort involved law enforcement agencies from multiple countries and led to the arrest of four individuals and the takedown of over 100 servers. The botnets targeted facilitated ransomware and other cyber-attacks.Technical Key FindingsThe malware droppers involved are designed to infiltrate systems and install additional malware, often avoiding detection through sophisticated evasion techniques. These droppers were used to deploy ransomware and other malicious payloads by bypassing security measures and enabling further system compromises.Vulnerable ProductsThe operation did not specify particular products but targeted the infrastructures supporting droppers like IcedID, SystemBC, Pikabot, Smokeloader, and Bumblebee.Impact AssessmentIf abused, these vulnerabilities could lead to widespread ransomware attacks, financial losses, and significant disruption of services. The infrastructure taken down had facilitated numerous cyber-attacks globally, highlighting the severe impact on cybersecurity.Patches or WorkaroundThe report did not mention specific patches or workarounds. However, continuous monitoring and updating of security measures are recommended to protect against such threats.Tags<a href="https://infosec.exchange/tags/Botnets" class="mention hashtag" rel="nofollow noopener" target="_blank">#Botnets</a> <a href="https://infosec.exchange/tags/Malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#Malware</a> <a href="https://infosec.exchange/tags/Ransomware" class="mention hashtag" rel="nofollow noopener" target="_blank">#Ransomware</a> <a href="https://infosec.exchange/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#Cybersecurity</a> <a href="https://infosec.exchange/tags/Europol" class="mention hashtag" rel="nofollow noopener" target="_blank">#Europol</a> <a href="https://infosec.exchange/tags/OperationEndgame" class="mention hashtag" rel="nofollow noopener" target="_blank">#OperationEndgame</a> <a href="https://infosec.exchange/tags/Cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#Cybercrime</a> <a href="https://infosec.exchange/tags/IcedID" class="mention hashtag" rel="nofollow noopener" target="_blank">#IcedID</a> <a href="https://infosec.exchange/tags/SystemBC" class="mention hashtag" rel="nofollow noopener" target="_blank">#SystemBC</a> <a href="https://infosec.exchange/tags/Pikabot" class="mention hashtag" rel="nofollow noopener" target="_blank">#Pikabot</a> <a href="https://infosec.exchange/tags/Smokeloader" class="mention hashtag" rel="nofollow noopener" target="_blank">#Smokeloader</a> <a href="https://infosec.exchange/tags/Bumblebee" class="mention hashtag" rel="nofollow noopener" target="_blank">#Bumblebee</a>

abuse.ch :verified:We are proud to announce that we assisted the joint international law enforcement operation <a href="https://ioc.exchange/tags/OperationEndgame" class="mention hashtag" rel="nofollow noopener" target="_blank">#OperationEndgame</a>, targeting the notorious botnets <a href="https://ioc.exchange/tags/IcedID" class="mention hashtag" rel="nofollow noopener" target="_blank">#IcedID</a>, <a href="https://ioc.exchange/tags/Smokeloader" class="mention hashtag" rel="nofollow noopener" target="_blank">#Smokeloader</a>, <a href="https://ioc.exchange/tags/SystemBC" class="mention hashtag" rel="nofollow noopener" target="_blank">#SystemBC</a> and <a href="https://ioc.exchange/tags/Pikabot" class="mention hashtag" rel="nofollow noopener" target="_blank">#Pikabot</a> 🔥abuse.ch has provided key infrastructure to LEA and internal partners to disrupt these botnet operations 🛑More information on the operation is available here: 👉 <a href="https://operation-endgame.com/" rel="nofollow noopener" translate="no" target="_blank">https://operation-endgame.com/</a>

The Spamhaus Project🚨<a href="https://infosec.exchange/tags/IcedID" class="mention hashtag" rel="nofollow noopener" target="_blank">#IcedID</a>, <a href="https://infosec.exchange/tags/Smokeloader" class="mention hashtag" rel="nofollow noopener" target="_blank">#Smokeloader</a>, <a href="https://infosec.exchange/tags/SystemBC" class="mention hashtag" rel="nofollow noopener" target="_blank">#SystemBC</a>, <a href="https://infosec.exchange/tags/Pikabot" class="mention hashtag" rel="nofollow noopener" target="_blank">#Pikabot</a> and <a href="https://infosec.exchange/tags/Bumblebee" class="mention hashtag" rel="nofollow noopener" target="_blank">#Bumblebee</a> botnets have been disrupted by Operation Endgame!! This is the largest operation EVER against botnets involved with ransomware, with gargantuan thanks to a coordinated effort led by international agencies 👏👏As with the <a href="https://infosec.exchange/tags/Qakbot" class="mention hashtag" rel="nofollow noopener" target="_blank">#Qakbot</a> and <a href="https://infosec.exchange/tags/Emotet" class="mention hashtag" rel="nofollow noopener" target="_blank">#Emotet</a> takedowns, Spamhaus are again providing remediation support - those affected will be contacted from today with steps to take.👉 For more information, read our write-up here: <a href="https://www.spamhaus.org/resource-hub/malware/operation-endgame-botnets-disrupted-after-international-action/" rel="nofollow noopener" translate="no" target="_blank">https://www.spamhaus.org/resource-hub/malware/operation-endgame-botnets-disrupted-after-international-action/</a><a href="https://infosec.exchange/tags/OperationENDGAME" class="mention hashtag" rel="nofollow noopener" target="_blank">#OperationENDGAME</a>

Tony LambertNew blog post! In this one I look at a Java-based dropper for Pikabot that TA577 used in mid-February 2024. <a href="https://forensicitguy.github.io/dissecting-java-pikabot-dropper/" rel="nofollow noopener" translate="no" target="_blank">https://forensicitguy.github.io/dissecting-java-pikabot-dropper/</a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#malware</a> <a href="https://infosec.exchange/tags/pikabot" class="mention hashtag" rel="nofollow noopener" target="_blank">#pikabot</a> <a href="https://infosec.exchange/tags/ta577" class="mention hashtag" rel="nofollow noopener" target="_blank">#ta577</a>

Colin CowieMalicious slack ad leading to <a href="https://infosec.exchange/tags/Pikabot" class="mention hashtag" rel="nofollow noopener" target="_blank">#Pikabot</a> malware ⚠️ Pikabot is closely associated with ransomware intrusions. Redirection Infrastructure: slalk.onelink[.]me anewreseller.top Fake Site: siack.ovmv[.]net.msi payload hosted on dropbox: <a href="https://www.virustotal.com/gui/file/f1bc547091f9a2447fd16c804aa568707ca323e3d20c90e5568b303480ae7a03" rel="nofollow noopener" translate="no" target="_blank">https://www.virustotal.com/gui/file/f1bc547091f9a2447fd16c804aa568707ca323e3d20c90e5568b303480ae7a03</a><a href="https://infosec.exchange/tags/IOCs" class="mention hashtag" rel="nofollow noopener" target="_blank">#IOCs</a> <a href="https://infosec.exchange/tags/malvertising" class="mention hashtag" rel="nofollow noopener" target="_blank">#malvertising</a>

FreemindQakBot, also known as QBot and Pinkslipbot, was dismantled in August as part of a coordinated law enforcement effort called Operation Duck Hunt.<a href="https://mastodon.online/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#Cybersecurity</a> <a href="https://mastodon.online/tags/DarkGate" class="mention hashtag" rel="nofollow noopener" target="_blank">#DarkGate</a> <a href="https://mastodon.online/tags/QakBot" class="mention hashtag" rel="nofollow noopener" target="_blank">#QakBot</a> <a href="https://mastodon.online/tags/Malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#Malware</a> <a href="https://mastodon.online/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#Phishing</a> <a href="https://mastodon.online/tags/PikaBot" class="mention hashtag" rel="nofollow noopener" target="_blank">#PikaBot</a> <a href="https://cybersec84.wordpress.com/2023/11/21/qakbot-reborn-darkgate-and-pikabot-malware-leverage-old-tactics-in-new-phishing-attacks/" rel="nofollow noopener" translate="no" target="_blank">https://cybersec84.wordpress.com/2023/11/21/qakbot-reborn-darkgate-and-pikabot-malware-leverage-old-tactics-in-new-phishing-attacks/</a>

BradThis article from <a href="https://mstdn.social/@TalosSecurity" class="u-url mention" rel="nofollow noopener" target="_blank">@TalosSecurity</a> is wrong: <a href="https://infosec.exchange/@TalosSecurity@mstdn.social/111182485199499672" rel="nofollow noopener" translate="no" target="_blank">https://infosec.exchange/@TalosSecurity@mstdn.social/111182485199499672</a>The activity reported in this Talos article is not associated with <a href="https://infosec.exchange/tags/Qakbot" class="mention hashtag" rel="nofollow noopener" target="_blank">#Qakbot</a>.Why do I say this?This Talos article is "...connecting the metadata in the LNK files used in the new campaign to the machines used in previous Qakbot campaigns." Talos identifies these campaigns as "AA" and "BB." But the other data Talos presents isn't associated with infrastructure for the "AA" and "BB" campaigns that have pushed Qakbot before.That "AA" and "BB" infrastructure has been active since last month, pushing <a href="https://infosec.exchange/tags/DarkGate" class="mention hashtag" rel="nofollow noopener" target="_blank">#DarkGate</a>, <a href="https://infosec.exchange/tags/Pikabot" class="mention hashtag" rel="nofollow noopener" target="_blank">#Pikabot</a>, and <a href="https://infosec.exchange/tags/IcedID" class="mention hashtag" rel="nofollow noopener" target="_blank">#IcedID</a>. This distribution network is run by a threat actor Proofpoint identifies as <a href="https://infosec.exchange/tags/TA577" class="mention hashtag" rel="nofollow noopener" target="_blank">#TA577</a>. TA577 was one of the distributors of Qakbot before Qakbot got taken down.I would never have called TA577 the threat actor behind Qakbot, but Talos does in the article. It is merely a threat actor that distributed Qakbot.From what I can tell, this Knight ransomeware activity is not connected with the AA/BB/TA577 distributor who has previously spread Qakbot and other malware.

Brad2023-05-22 (Mon) & 2023-05-23 (Tue): TA577 pushes <a href="https://infosec.exchange/tags/Pikabot" class="mention hashtag" rel="nofollow noopener" target="_blank">#Pikabot</a>2023-05-24 (Wed): TA577 back to pushing <a href="https://infosec.exchange/tags/Qabkot" class="mention hashtag" rel="nofollow noopener" target="_blank">#Qabkot</a> (<a href="https://infosec.exchange/tags/Qbot" class="mention hashtag" rel="nofollow noopener" target="_blank">#Qbot</a>)Pikabot:- <a href="https://malware-traffic-analysis.net/2023/05/22/index.html" rel="nofollow noopener" target="_blank">https://malware-traffic-analysis.net/2023/05/22/index.html</a>- <a href="https://malware-traffic-analysis.net/2023/05/23/index.html" rel="nofollow noopener" target="_blank">https://malware-traffic-analysis.net/2023/05/23/index.html</a>Qakbot (TA570 obama264): - <a href="https://malware-traffic-analysis.net/2023/05/24/index.html" rel="nofollow noopener" target="_blank">https://malware-traffic-analysis.net/2023/05/24/index.html</a>I was lucky enough to get <a href="https://infosec.exchange/tags/CobaltStrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#CobaltStrike</a> with the two Pikabot infections, so I wrote tweets for my employer on the bird site.See the above links for <a href="https://infosec.exchange/tags/pcap" class="mention hashtag" rel="nofollow noopener" target="_blank">#pcap</a> files, malware samples, IOCs, and links to my employer's tweets for the Pikabot activity.

abuse.ch :verified:We are seeing an increase in <a href="https://ioc.exchange/tags/Pikabot" class="mention hashtag" rel="nofollow noopener" target="_blank">#Pikabot</a> activity, spreading through spam email campaigns that traditionally where pushing <a href="https://ioc.exchange/tags/Qakbot" class="mention hashtag" rel="nofollow noopener" target="_blank">#Qakbot</a> malware🔥In response to this emerging threat, we have started to include active Pikabot botnet C2s in Feodo Tracker, pushing automated protection out for millions of internet users 🛡️👉 <a href="https://feodotracker.abuse.ch/browse/" rel="nofollow noopener" target="_blank">https://feodotracker.abuse.ch/browse/</a>In order to block active Pikabot botnet C2s, just implement Feodo Tracker's recommend IP blocklist on your security perimeter:🛑 <a href="https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt" rel="nofollow noopener" target="_blank">https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt</a>

BradTweet I wrote for my employer at the bird site: <a href="https://twitter.com/Unit42_Intel/status/1659199751265595392" rel="nofollow noopener" target="_blank">https://twitter.com/Unit42_Intel/status/1659199751265595392</a>2023-05-17 (Wednesday): Today, this week's BB28 <a href="https://infosec.exchange/tags/Qakbot" class="mention hashtag" rel="nofollow noopener" target="_blank">#Qakbot</a>-style distribution chain pushed <a href="https://infosec.exchange/tags/Pikabot" class="mention hashtag" rel="nofollow noopener" target="_blank">#Pikabot</a> instead of Qakbot. Followed up with <a href="https://infosec.exchange/tags/CobaltStrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#CobaltStrike</a> using <a href="https://infosec.exchange/tags/DNSTunneling" class="mention hashtag" rel="nofollow noopener" target="_blank">#DNSTunneling</a>. We later saw additional Cobalt Strike traffic over HTTPS. List of IOCs available at <a href="https://github.com/pan-unit42/tweets/blob/master/2023-05-17-IOCs-for-Pikabot-with-Cobalt-Strike.txt" rel="nofollow noopener" target="_blank">https://github.com/pan-unit42/tweets/blob/master/2023-05-17-IOCs-for-Pikabot-with-Cobalt-Strike.txt</a>A carved <a href="https://infosec.exchange/tags/pcap" class="mention hashtag" rel="nofollow noopener" target="_blank">#pcap</a> of the infection traffic (removed everything not related to the <a href="https://infosec.exchange/tags/Pikabot" class="mention hashtag" rel="nofollow noopener" target="_blank">#Pikabot</a> & <a href="https://infosec.exchange/tags/CobaltStrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#CobaltStrike</a>) and the associated malware/registry updates available at <a href="https://malware-traffic-analysis.net/2023/05/17/index.html" rel="nofollow noopener" target="_blank">https://malware-traffic-analysis.net/2023/05/17/index.html</a>

Recent searches

Search options

Administered by:

Server stats:

#pikabot