A new joint operation run by US and European law enforcement and a number of private security firms took down the polymorphic Beebone botnet, also known as AAEH.
The operation was carried out by the FBI, the Department of Homeland Security, Europol and Dutch authorities. The malicious Beebone network infected nearly 12,000 machines worldwide with a polymorphic downloader used to serve banking malware, ransomware, password stealers, rootkits and other malware.
“AAEH is often propagated across networks, removable drives (USB/CD/DVD), and through ZIP and RAR archive files. Also known as VObfus, VBObfus, Beebone or Changeup, the polymorphic malware has the ability to change its form with every infection. AAEH is a polymorphic downloader with more than 2 million unique samples. Once installed, it morphs every few hours and rapidly spreads across the network. AAEH has been used to download other malware families, such as Zeus, Cryptolocker, ZeroAccess, and Cutwail.” reported the advisory issued by the DHS.
Despite the Beebone botnet is not composed by a large number of machine, the malware appears very sophisticated.
The Europol confirmed that there are five million unique Beebone samples in the wild.
“More than 205,000 samples were collected from 23,000 infected systems in the last two years. Most of the infections occurred in the United States, but computers in 195 countries were infected.”
The Beebone bots implements several infection vectors, including removable drives and malicious attachments, but the most insidious feature of the malware is its polymorphism that allows it to change morphology every two hours in some cases.
Beebone agent implements additional mechanisms to evade detection, for example it blocks connections to IP address blocks associated with security companies’ networks and disabled security tools (i.e. Antivirus software).
The Beebone takedown was possible thanks to the effort spent by the joint effort of the The Dutch National High Tech Crime Unit, the Joint Cybercrime Action Taskforce, the Europol’s European Cybercrime Centre (EC3), the FBI, and U.S-based representatives at the National Cyber Investigative Joint Task Force- International Cyber Crime Coordination Cell (IC4). Among the private companies involved in the operation there are Kaspersky Lab, Shadowserver and Intel Security.
The experts sinkholed‘ the Beebone botnet seizing all domain names the criminals used to control the malware. Malicious traffic be distributed to the ISPs (Internet Service Providers) and CERTs (Computer Emergency Response Teams) around the world, in order to inform the victims.
“This successful operation shows the importance of international law enforcement working together with private industry to fight the global threat of cybercrime,” said Europol deputy director of operations Wil van Gemert. “We will continue our efforts to take down botnets and disrupt the core infrastructures used by cybercriminals to carry out a variety of crimes. Together with the EU Member States and partners around the globe, our aim is to protect people worldwide against these criminal activities.”