Operation Endgame Disrupts Amadey Botnet and Stealc Infostealer
TL;DR
ESET Research contributed to Operation Endgame, which successfully targeted and disrupted the Amadey botnet and Stealc infostealer, impacting nearly 200 command and control servers. This operation highlights the importance of proactive monitoring and collaboration among cybersecurity entities to mitigate malware-as-a-service threats.
Main Analysis
ESET Research has been monitoring the Amadey botnet and Stealc infostealer for an extensive period, providing significant technical insights during Operation Endgame, a coordinated effort aimed at dismantling their operations. The operation, executed in collaboration with multiple entities, caused the disruption of approximately 50 domains and nearly 200 active command and control servers associated with these malware families. ESET’s contributions included detailed analyses, statistical information, and a comprehensive compilation of known command and control servers, which are critical for enhancing disruption efforts.
The Amadey botnet operates as a modular malware loader, primarily designed to distribute additional malware to infected systems while offering modules for data exfiltration and remote access. Conversely, Stealc functions as a dedicated infostealer, targeting a wide range of sensitive data, including credentials and cryptocurrency wallet information. Both malware families adopt a malware-as-a-service model, requiring affiliates to deploy their own infrastructure, adding complexity to disruption initiatives.
Understanding the clustering of activities in this malware ecosystem facilitated the identification of high-priority targets for disruption. ESET employed advanced tracking and clustering methodologies that considered command and control communications, build identifiers, and embedded encryption keys, significantly enhancing the effort to effectively target these operations.
Defensive Context
Organizations operating in sectors that deal with sensitive data should be particularly aware of threats from malware-as-a-service models, which exploit compromised systems to facilitate data theft. While businesses with robust cybersecurity measures might be less vulnerable, the persistent threat posed by the Amadey and Stealc malware families underscores the need for vigilance in monitoring digital environments.
Why This Matters
The real-world impact of these types of malware is significant, with potential exposure for any organization that handles sensitive user data or operates in critical infrastructure sectors. The modular nature of Amadey and the versatile capabilities of Stealc make their disruption crucial in reducing overall cybercrime related to data theft.
Defender Considerations
Given the disruption of command and control servers linked to Amadey and Stealc, stakeholders may want to assess any related infrastructure within their environments. This assessment could include monitoring for known command and control server IP addresses associated with these malware families as listed in the article.
Indicators of Compromise (IOCs)
-
Amadey-related IPs:
- 62.60.226[.]159
- 94.154.35[.]25
- 176.111.174[.]140
-
Stealc-related IPs:
- 64.188.91[.]237
- 176.124.199[.]207
- 194.26.192[.]191
These indicators represent command and control servers used in the Amadey and Stealc operations and can be leveraged for further strategic information gathering.
In summary, the proactive measures taken during Operation Endgame reflect critical advancements in cyber threat disruption, particularly against sophisticated, affiliate-driven malware-as-a-service operations. ESET’s research and collaboration within this operation provide a blueprint for future initiatives aimed at mitigating similar threats in the evolving cybersecurity landscape.
