A major law enforcement operation spanning Europe and North America has succeeded in taking down the infrastructure of Emotet, one of the world’s most popular and widely-used malware botnets since 2014.
Emotet, which is well known in cyber security circles as hackers’ favourite dropper malware, has until now been used primarily by hackers worldwide as a payload dropper, infiltrating computer systems or entire networks and then paving the way for hackers to send in second-stage malware or ransomware such as TrickBot and Ryuk.
According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Emotet, which first surfaced in 2014 as a banking trojan, is spread by malicious actors via phishing email attachments and links that, if clicked or downloaded, launch the payload which then “attempts to proliferate within a network by brute-forcing user credentials and writing to shared drives.”
In recent times, hackers have distributed Emotet to thousands of IT networks and millions of computers worldwide using COVID-19-themed phishing emails, attaching password-protected Zip files in emails to bypass email security gateways, and stealing existing email chains from an infected host to reply to the chain using a spoofed identity and attaching a malicious document to trick recipients into opening the file.
A reason why Emotet has been so successful in recent times is that the trojan has been designed to change its code each time it is used, making it difficult for antivirus software to detect it based on known signatures. The malware is also known for its worm-like feature, quickly spreading across the network after infiltrating a device connected to the network.
So successful was Emotet in infiltrating protected systems and enterprise networks that in order to prevent its spread, CISA advised government agencies and companies to take extreme steps such as blocking all email attachments containing .dll and .exe files, blocking all emails with Zip files, monitor users’ web browsing habits to restrict access to suspicious sites, and disable file and printer sharing services.
However, despite its well-known capabilities, Emotet wasn’t destined to last long. Earlier today, law enforcement authorities across Europe and North America announced the dismantling of the Emotet infrastructure which included over 700 servers distributed across continents.
The massive law enforcement operation was coordinated by Europol and involved authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine. The UK’s National Crime Agency led the financial arm of the investigation which included tracking how the criminal network behind the malware was funded, where that funding went, and who was profiteering.
According to Europol, the hundreds of servers that formed part of the Emotet infrastructure had different functions with some of them managing computers affected by the malware, some to spread to new ones, some to serve other criminal groups, and some to make the network more resilient against takedown attempts.
“To severely disrupt the Emotet infrastructure, law enforcement teamed up together to create an effective operational strategy. It resulted in this week’s action whereby law enforcement and judicial authorities gained control of the infrastructure and took it down from the inside. The infected machines of victims have been redirected towards this law enforcement-controlled infrastructure. This is a unique and new approach to effectively disrupt the activities of the facilitators of cybercrime,” Europol said.
The agency added that Emotet was offered for hire to cyber criminal groups worldwide who then used it as a primary dropper for powerful ransomware families such as Ryuk and TrickBot. According to NCA, the operators of Emotet moved $10.5 million from just one virtual currency account over a two-year period and also spent almost $500,000 to maintain the criminal infrastructure.
“Emotet was instrumental in some of the worst cyber attacks in recent times and enabled up to seventy percent of the world’s malware including the likes of Trickbot and RYUK, which have had significant economic impact on UK businesses. Working with partners we’ve been able to pinpoint and analyse data linking payment and registration details to criminals who used Emotet,” said Nigel Leary, Deputy Director of the National Cyber Crime Unit.
Commenting on the takedown of the Emotet infrastructure, Chris Morales, Head of Security Analytics at Vectra, said that taking down Emotet is the equivalent of taking down an AWS or Azure major datacenter. The immediate impact would be felt, but eventually, organisations leveraging that infrastructure would look to move services elsewhere, including potentially internally managed. This could take some time depending on the capabilities and funding of the organisations leveraging that infrastructure.
“The good news is I see signs of law enforcement learning how to better coordinate global efforts to respond to what are international threats. This is a good start of what I hope to be a long and ongoing collaboration in targeting these type of organisations that can operate beyond any specific countries borders,” he said.
According to Sam Curry, the chief security officer at Cybereason, even though the battle being waged by defenders daily to root out Emotet and other forms of malware is essential in making cybercrime unprofitable, we’ll never turn the tables on attackers and rapidly uncover malicious operations by chasing uncorrelated alerts.
“We need to arm security analysts with tools to make the connection between disparate indicators of compromise – and more importantly, the more subtle indicators of behavior associated with an attack – so they can quickly detect and respond to malicious operations with surgical precision.
“That’s the only way to reverse the adversary advantage by detecting earlier and remediating faster; thinking, adapting, and acting more swiftly than attackers before they can adjust their tactics; and having the confidence as defenders that we can reliably intercept and eliminate emerging threats before an attack escalates to the level of a breach,” he added.