Law enforcement officials behind Operation Endgame are seeking information relating to a person who goes by the moniker Odd and is supposedly the mastermind behind the Emotet virus.
Odd is also believed to go by the aliases Aron, C700, Cbd748, Ivanov Odd, Mors, Morse, Veron during the previous several years, according to a video provided by the agencies.
"Who is he working with? What is his current product?," the video continues, hinting that he is likely not operating alone and may be collaborating with others on malware other than Emotet.
The threat actor(s) behind Emotet has been followed by the cybersecurity community under the monikers Gold Crestwood, Mealybug, Mummy Spider, and TA542.
Originally developed as a banking trojan, it evolved into a broader-purpose tool capable of delivering various payloads, along the lines of malware such as TrickBot, IcedID, QakBot, and others. It re-emerged in late 2021, although as part of low-volume activities, after a law enforcement operation that closed its infrastructure.
As recently as March 2023, attack chains delivering an upgraded version of the virus were discovered to exploit Microsoft OneNote email attachments in an effort to overcome security constraints. No new Emotet-related activity has been reported in the wild since the start of April 2023.
The call follows a sweeping coordination effort that saw four arrests and over 100 servers associated with malware loader operations such as IcedID, SystemBC, PikaBot, SmokeLoader, Bumblebee, and TrickBot taken down in an effort to stamp out the initial access broker (IAB) ecosystem that feeds ransomware attacks.
Germany's Federal Criminal Police Office (called the Bundeskriminalamt) has also published the names of eight cyber criminals who are thought to have played significant roles in the SmokeLoader and Trickbot malware operations. They have all subsequently been added to the E.U. Most Wanted List.
.webp)
"All these malicious services were in the arsenal of such Russian cybercrime organizations as BlackBasta, Revil, Conti and helped them attack dozens of Western companies, including medical institutions," the National Police of Ukraine (NPU) stated in a statement.
Cyber attacks involving the malware families have relied on compromised accounts to target victims and propagate malicious emails, with the botnet operators using stolen credentials obtained using remote access trojans (RATs) and information stealers to gain initial access into networks and organizations.
Data shared by Swiss cybersecurity firm PRODAFT with The Hacker News in the wake of the operation shows that criminal actors on underground forums like XSS.IS are on alert, with the moderator – codenamed bratva – urging others to be careful and check if their virtual private servers (VPSes) went down between May 27 and 29, 2024.
Bratva has also been caught publishing the identities of the eight persons that the Bundeskriminalamt published, while emphasizing that Operation Endgame is one of the "far-going consequences of leaked Conti [ransomware] logs."
Other performers went to the site to ponder out loud as to who may have leaked the discussions and mentioned the prospect of a "rat" who is cooperating with law authorities. They also stated that Romania and Switzerland will not exchange data regarding criminal actors existing inside their borders unless it's a "extreme threat" like terrorism.
"[The] FBI can raid anything under saying its [sic] 'terrorism," one user who goes by the nickname phant0m remarked.
