Malware droppers at the core of cybercrime ecosystem
Botnets have been around for decades, but their purpose has changed over time based on what made the most money for cybercriminals. At some point, the largest botnets were used to hijack email addresses and address books to send spam. At other times they deployed Trojans capable of stealing online banking credentials from browser sessions, and sometimes botnets were used to launch DDoS attacks as a service.
Some of those specializations still exist, but today some of the largest botnets are used as malware distribution platforms on behalf of the cybercriminal ecosystem. Ransomware has been the most profitable cybercriminal activity for many years, and ransomware gangs are always on the lookout for initial access into new victim networks, something that malware dropper operators specialize in.
Malware droppers are usually distributed through mass spear phishing campaigns. Their managers cast a wide net and then sort out the victims based on how valuable they could be to their cybercriminal customers. One of the suspects investigated in Operation Endgame earned over €69M in cryptocurrency by providing the infrastructure to deploy ransomware, Europol said.
TrickBot or TrickLoader, which was targeted in this operation, is one of the longest-lived botnets on the internet and has survived multiple takedown attempts. TrickBot started out as a Trojan program focused on stealing online banking credentials, but its modular architecture allowed it to become one of the primary delivery vehicles for other malware payloads.
TrickBot operators had a very tight business relationship with the notorious Ryuk gang, whose ransomware for a long time was distributed almost exclusively through the botnet. The TrickBot creators added functionalities that seemed to cater to nation-state APT groups and were also behind another malware dropper called BazarLoader.
Similar to TrickBot, IcedID first appeared in 2017 and was originally a banking Trojan designed to inject rogue content into local online banking sessions — an attack known as webinject. Since then it too grew into a malware distribution platform used by many cybercriminal groups, including initial access brokers that serve ransomware gangs.
