🕷️ Latrodectus: The “Black Widow” Malware of 2025

A new threat has emerged — Latrodectus, a stealthy malware loader evolving from IcedID’s shadow.

Read the full article:
👉 https://wardenshield.com/latrodectus-malware-analysis-a-deep-dive-into-the-black-widow-of-cyber-threats-in-2025

#CyberSecurity #InfoSec #Latrodectus #ThreatIntel #MalwareAnalysis #Privacy #IcedID #DigitalSecurity #WardenShield #CyberThreats #FOSS #TechNews

Debellate dall'Europol tutte le botnet ramsonware. Operation Endgame, la più grande operazione della storia contro le botnet. Operazione Endgame è un'operazione internazionale delle forze dell'ordine che mira a combattere le botnet e i loro utilizzatori.
Tra il 27 e il 29 maggio 2024 è stata messa in atto un'operazione internazionale di contrasto al crimine...

#botnet #Bumblebee #Europol #hackers #IcedID #OperationEndgame #Pikabot #Ransomware #SmokeLoader #SystemBC

https://scienzamagia.eu/misteri-ufo/debellate-dalleuropol-tutte-le-botnet-ramsonware/

「 #ユーロポール 、 #IcedID 、 #TrickBot 、その他のマルウェアに関連した100台以上のサーバーを #シャットダウン 」： The Hacker News

「ユーロポールは木曜日、 #Operation #Endgame というコード名で行われる法執行機関の連携活動の一環として、IcedID、 #SystemB C、 #PikaBo t、 #SmokeLoader 、 #Bumblebee 、TrickBotなどのいくつかのマルウェアローダー操作に関連するインフラストラクチャを停止したと発表した 。
この措置は5月27日から5月29日までの間に行われ、 #アルメニア 、 #オランダ 、 #ポルトガル の16か所にわたる捜索の結果、世界中で100台以上のサーバーが解体され、アルメニアで1人、ウクライナで3人の計4人が #逮捕 された。 、そして #ウクライナ 。 」

戦禍のウクライナでも、ややこしいことをしている奴がいる。

https://thehackernews.com/2024/05/europol-dismantles-100-servers-linked.html

#prattohome #TheHackerNews

Today we celebrate a major cybersecurity victory. 👏 Operation Endgame, a global law enforcement effort supported by insights from experts at Proofpoint and other industry vendors, resulted in:

• The disruption of major botnets
• Four arrests
• Over 100 servers taken down across 10 countries
• Over 2,000 domains brought under the control of law enforcement
• Illegal assets frozen

Proofpoint’s mission is to provide the best human-centric protection for our customers against advanced threats. Whenever possible and appropriate to do so, Proofpoint uses its team’s knowledge and skills to help protect a wider audience against widespread malware threats.

For #OperationEndgame, Proofpoint threat researchers lent their expertise in reverse engineering malware, botnet infrastructure, and identifying patterns in how the threat actors set up their servers to help authorities understand the malware and safely remediate the bot clients.

Proofpoint’s unmatched threat telemetry and researcher knowledge played a crucial role in the operation, providing key insights in identifying the new botnets that are most likely to grow and become the dominant threats affecting the most number of people around the world.

More information on the takedown and Proofpoint’s involvement can be found in our blog: https://www.proofpoint.com/us/blog/threat-insight/major-botnets-disrupted-global-law-enforcement-takedown.

#IcedID #SystemBC #Pikabot #SmokeLoader #Bumblebee #Trickbot #Europol

‘Operation Endgame’ Hits Malware Delivery Platforms

https://krebsonsecurity.com/2024/05/operation-endgame-hits-malware-delivery-platforms/

#Ne'er-Do-WellNews #OperationEndgame #TheComingStorm #MattBurgess #Smokeloader #Ransomware #trickbot #Europol #LockBit #IcedID #911S5

‘Operation Endgame’ Hits Malware Delivery Platforms - Law enforcement agencies in the United States and Europe today announced Operation... https://krebsonsecurity.com/2024/05/operation-endgame-hits-malware-delivery-platforms/ #neer-do-wellnews #operationendgame #thecomingstorm #mattburgess #smokeloader #ransomware #trickbot #europol #lockbit #icedid #911s5

Awesome work shutting down botnet infrastructure related to #icedid, #bumblebee, and #pikabot
https://www.europol.europa.eu/media-press/newsroom/news/largest-ever-operation-against-botnets-hits-dropper-malware-ecosystem

We are proud to announce that Sekoia #TDR team contributed to the joint international law enforcement operation #OperationEndgame, targeting the notorious botnets #IcedID, #Smokeloader, #SystemBC and #Pikabot

https://operation-endgame.com/

Operation Endgame - Largest Ever Operation Against Botnets Hits Dropper Malware Ecosystem

Date: May 30, 2024
CVE: Not specified
Vulnerability Type: Malware
CWE: [[CWE-94]], [[CWE-502]]
Sources: Europol News, Eurojust News

Issue Summary

Europol, in coordination with law enforcement agencies from multiple countries, conducted the largest ever operation targeting botnets. This operation, dubbed "Operation Endgame," took place from May 27 to 29, 2024, and led to the disruption of major malware droppers including IcedID, SystemBC, Pikabot, Smokeloader, and Bumblebee. The effort resulted in four arrests and the takedown of over 100 servers worldwide. These droppers were used to facilitate ransomware and other cyber-attacks by installing additional malware onto target systems. The operation was supported by Eurojust and involved contributions from countries including France, Germany, the Netherlands, Denmark, the UK, the US, and others. Private partners also played a role in the operation, which aimed to dismantle the infrastructure supporting these malicious activities. The success of this operation marks a significant step in combating cybercrime on a global scale.

Operation Endgame, coordinated by Europol, dismantled several major botnets including IcedID, SystemBC, Pikabot, Smokeloader, and Bumblebee. This international effort involved law enforcement agencies from multiple countries and led to the arrest of four individuals and the takedown of over 100 servers. The botnets targeted facilitated ransomware and other cyber-attacks.

Technical Key Findings

The malware droppers involved are designed to infiltrate systems and install additional malware, often avoiding detection through sophisticated evasion techniques. These droppers were used to deploy ransomware and other malicious payloads by bypassing security measures and enabling further system compromises.

Vulnerable Products

The operation did not specify particular products but targeted the infrastructures supporting droppers like IcedID, SystemBC, Pikabot, Smokeloader, and Bumblebee.

Impact Assessment

If abused, these vulnerabilities could lead to widespread ransomware attacks, financial losses, and significant disruption of services. The infrastructure taken down had facilitated numerous cyber-attacks globally, highlighting the severe impact on cybersecurity.

Patches or Workaround

The report did not mention specific patches or workarounds. However, continuous monitoring and updating of security measures are recommended to protect against such threats.

Tags

#Botnets #Malware #Ransomware #Cybersecurity #Europol #OperationEndgame #Cybercrime #IcedID #SystemBC #Pikabot #Smokeloader #Bumblebee

We are proud to announce that we assisted the joint international law enforcement operation #OperationEndgame, targeting the notorious botnets #IcedID, #Smokeloader, #SystemBC and #Pikabot 🔥

abuse.ch has provided key infrastructure to LEA and internal partners to disrupt these botnet operations 🛑

More information on the operation is available here:
👉 https://operation-endgame.com/

🚨#IcedID, #Smokeloader, #SystemBC, #Pikabot and #Bumblebee botnets have been disrupted by Operation Endgame!! This is the largest operation EVER against botnets involved with ransomware, with gargantuan thanks to a coordinated effort led by international agencies 👏👏

As with the #Qakbot and #Emotet takedowns, Spamhaus are again providing remediation support - those affected will be contacted from today with steps to take.

👉 For more information, read our write-up here: https://www.spamhaus.org/resource-hub/malware/operation-endgame-botnets-disrupted-after-international-action/

#OperationENDGAME

A new malware named Latrodectus has been identified by Proofpoint
threat researchers.🕷️

While Lacrodectus is similar in infrastructure to #IcedID, it has new, unique patterns in campaign IDs designating threat actor use in previous IcedID campaigns.

Read the full blog written in partnership with @teamcymru_S2: https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice.

Proofpoint and Team Cymru collaborated on a report on Latrodectus malware. Latrodectus is an up-and-coming downloader with various sandbox evasion functionality. It first appeared in email threat campaigns in late November 2023. Latrodectus shares infrastructure overlap with historic IcedID operations. It is being distributed by financially motivated TA577, as well as TA578. Proofpoint provides malware analysis, C2 infrastructure, links to IcedID, and list of IOC. 🔗 https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice

#Latrodectus #threatintel #IcedID ##IOC #TA577 #TA578 #cybercrime

The DFIR Report provides a case study of a ransomware incident in February to late March 2023 where the initial access was Microsoft OneNote files to deliver IcedID malware. Cobalt Strike and AnyDesk were used to target a file server and a backup server. After exfiltrating data with FileZilla, Nokoyawa ransomware was executed. The DFIR Report provides everything from attack chain, to IOC, to MITRE ATT&CK and also Diamond Model. 🔗 https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/

#threatintel #IOC #Nokoyawa #ransomware #cybercrime #CobaltStrike #FileZilla #IcedID #Anydesk

Ukrainian national faces up to 20 years in prison for his role in #Zeus, #IcedID #malware schemes
https://securityaffairs.com/159260/cyber-crime/penchukov-zeus-icedid-malware-campaigns.html
#securityaffairs #hacking

Zeus, #IcedID malware gangs leader pleads guilty, faces 40 years in prison

https://www.bleepingcomputer.com/news/security/zeus-icedid-malware-gangs-leader-pleads-guilty-faces-40-years-in-prison/

Kai Lu shared the following reverse engineered code of #IcedID's C2 communication loop on Fortinet’s blog back in 2019. The WaitForSingleObject(handle, 0x493E0u) call in the while(true) loop waits for 0x493e0 milliseconds (5 minutes) every time before it connects to the C2 server.

Here’s what CapLoader’s Alerts tab looks like after loading 2023-10-16-IcedID-infection.pcap from @malware_traffic. The malicious protocol alerts for GzipLoader, #BackConnect and #IcedID over TLS are obvious indicators of IcedID. But what about the periodic connections made every 5 minutes?
https://netresec.com/?b=23B6bcd

Quick #malware analysis: #ICEDID variant with #BACKCONNECT, #ANUBIS #VNC, #COBALTSTRIKE & #SCREENCONNECT pcap from 2023-10-18

Thanks to
@malware_traffic
for sharing this #pcap!

More details:
https://blog.securityonion.net/2023/11/quick-malware-analysis-icedid-variant.html

#infosec
#infosecurity
#ThreatHunting
#IncidentResponse

Here's the decrypted #IcedID #BackConnect traffic from @malware_traffic latest #PCAP. It was just a bunch of "SLEEP 60 seconds" commands this time 😞​