The Beebone botnet has been shut down in a joint operation between U.S. and European law enforcement and a number of private security companies.
A new joint operation run by US and European law enforcement and a number of private security firms took down the polymorphic Beebone botnet, also known as AAEH.
The operation was carried out by the FBI, the Department of Homeland Security, Europol and Dutch authorities. The malicious Beebone network infected nearly 12,000 machines worldwide with a polymorphic downloader used to serve banking malware, ransomware, password stealers, rootkits and other malware.
“AAEH is often propagated across networks, removable drives (USB/CD/DVD), and through ZIP and RAR archive files. Also known as VObfus, VBObfus, Beebone or Changeup, the polymorphic malware has the ability to change its form with every infection. AAEH is a polymorphic downloader with more than 2 million unique samples. Once installed, it morphs every few hours and rapidly spreads across the network. AAEH has been used to download other malware families, such as Zeus, Cryptolocker, ZeroAccess, and Cutwail.” reported the advisory issued by the DHS.
Despite the Beebone botnet is not composed by a large number of machine, the malware appears very sophisticated.
The Europol confirmed that there are five million unique Beebone samples in the wild.
“More than 205,000 samples were collected from 23,000 infected systems in the last two years. Most of the infections occurred in the United States, but computers in 195 countries were infected.”
The Beebone bots implements several infection vectors, including removable drives and malicious attachments, but the most insidious feature of the malware is its polymorphism that allows it to change morphology every two hours in some cases.
Beebone agent implements additional mechanisms to evade detection, for example it blocks connections to IP address blocks associated with security companies’ networks and disabled security tools (i.e. Antivirus software).
The Beebone takedown was possible thanks to the effort spent by the joint effort of the The Dutch National High Tech Crime Unit, the Joint Cybercrime Action Taskforce, the Europol’s European Cybercrime Centre (EC3), the FBI, and U.S-based representatives at the National Cyber Investigative Joint Task Force- International Cyber Crime Coordination Cell (IC4). Among the private companies involved in the operation there are Kaspersky Lab, Shadowserver and Intel Security.
The experts sinkholed‘ the Beebone botnet seizing all domain names the criminals used to control the malware. Malicious traffic be distributed to the ISPs (Internet Service Providers) and CERTs (Computer Emergency Response Teams) around the world, in order to inform the victims.
“This successful operation shows the importance of international law enforcement working together with private industry to fight the global threat of cybercrime,” said Europol deputy director of operations Wil van Gemert. “We will continue our efforts to take down botnets and disrupt the core infrastructures used by cybercriminals to carry out a variety of crimes. Together with the EU Member States and partners around the globe, our aim is to protect people worldwide against these criminal activities.”
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.