Emotet Botnet Offline After Global Takedown By Police

ENISA botnet report, Mirai

Good news. One of the world’s most dangerous botnets, Emotet, has been taken down in a co-ordinated police operation around the world

Police forces around the world have successfully taken down in an co-ordinated action, what is being described as the world’s most dangerous botnet.

The botnet in question is Emotet, and authorities have now taken control of its command and control servers, in what Europol said was a disruption of “one of most significant botnets of the past decade.”

Emotet first reared its head back in 2014, and it is main mission in life was to steal banking credentials and harvest emails. Then i2017, security researcher Zscaler warned Emotet had evolved and the new variant had the UK in its sights, with 76 percent of Emotet’s attacks aimed at the United Kingdom.


Dangerous malware

But now almost four years latest, Europol said that thanks to a collaborative effort between authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust, it has been taken down.

“Emotet has been one of the most professional and long lasting cybercrime services out there,” said Europol. “First discovered as a banking Trojan in 2014, the malware evolved into the go-to solution for cybercriminals over the years. The Emotet infrastructure essentially acted as a primary door opener for computer systems on a global scale.”

“Once this unauthorised access was established, these were sold to other top-level criminal groups to deploy further illicit activities such data theft and extortion through ransomware,” they said.

“The Emotet group managed to take email as an attack vector to a next level,” Europol said. “Through a fully automated process, Emotet malware was delivered to the victims’ computers via infected email attachments.”

“A variety of different lures were used to trick unsuspecting users into opening these malicious attachments,” they added. “In the past, Emotet email campaigns have also been presented as invoices, shipping notices and information about Covid-19.

Word documents

According to Europol, all of these booby-trapped emails contained malicious Word documents, either attached to the email itself or downloadable by clicking on a link within the email itself.

Once a user opened one of these documents, they could be prompted to “enable macros” so that the malicious code hidden in the Word file could run and install Emotet malware on a victim’s computer.

According to Europol, what made Emotet so dangerous is that the malware was offered for hire to other cybercriminals to install other types of malware, such as banking Trojans or ransomwares, onto a victim’s computer.

This type of attack is called a ‘loader’ operation, and Emotet is said to be one of the biggest players in the cybercrime world as other malware operators like TrickBot and Ryuk have benefited from it, they stated.

Emotet was one of the most resilient malware in the wild because of its unique way of infecting networks by spreading the threat laterally after gaining access to just a few devices in the network.

Emotet used several hundreds of servers located across the world, all of these having different functionalities in order to manage the computers of the infected victims, to spread to new ones, to serve other criminal groups, and to ultimately make the network more resilient against takedown attempts, Europol stated.

But this week law enforcement around the world took control of this infrastructure and took down the botnet from the inside.

“The infected machines of victims have been redirected towards this law enforcement-controlled infrastructure,” Europol said. “This is a unique and new approach to effectively disrupt the activities of the facilitators of cybercrime.”

Europol advised users to be have updated cybersecurity tools (antivirus and operating systems) and maintain cybersecurity awareness. This means users should carefully check their email and avoid opening messages and especially attachments from unknown senders.

Europol said that the Dutch national police had discovered a database containing email addresses, usernames and passwords stolen by Emotet.

People can check here if their email address has been compromised.

Ransomware action

At least one security expert noted that in recent years Emotet has been involved in the scourge of ransomware attacks around the world.

“Emotet has consistently remained one of the most widely distributed malware families in recent years,” explained Kimberly Goody, senior manager of cybercrime analysis at Mandiant Threat Intelligence.

“While it was historically associated with banking fraud, since 2017 the malware has been leveraged to distribute spam and secondary malware payloads, which we believe was on behalf of a limited set of customers,” said Goody.

“Between October 2020 and January 2021, we observed Emotet distribute multiple malware variants that have been used to enable ransomware operations, so it is plausible that this Emotet disruption may reduce the immediate victim pool for ransomware deployment in the short term,” said Goody.

“Mandiant has observed threat actors rebuild their botnets following other takedown or disruption efforts, although the likelihood of this scenario hinges on the significance of the individuals who have been apprehended,” said Goody. “Notably, the actors behind Emotet have existing partnerships with other notable malware operations, including Trickbot, Qakbot, and Silentnight.”

“In addition to distributing these families as secondary payloads, we have occasionally observed Emotet being distributed by these families in the past,” Goody concluded. “These existing partnerships and renewed spamming could be leveraged to rebuild the botnet.”