Emotet botnet has been disrupted by global law enforcement operation

Europe’s law enforcement agency Europol has announced that a worldwide operation has disrupted one of the most dangerous malware Emotet. During an operation involving law enforcement agencies from eight countries, investigators have taken control of Emotet’s infrastructure, taking down arguably the most significant botnet in the past decade.

 

The joint operation to disrupt Emotet was carried out by authorities from the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust. During the operation, authorities were able to take control of Emotet’s servers and take down the whole infrastructure from the inside. Two individuals, who law enforcement believe were the ones keeping Emotet servers running, have been arrested by Ukrainian police. They could be facing years in prison if found guilty. According to reports, other people involved in Emotet have been identified and are in the process of being detained.

Below is a video of the arrests made by the Ukrainian police.

Since its discovery in 2014, Emotet has evolved from a banking trojan aimed at stealing banking credentials to arguably the most sophisticated botnet out there. In 2016, Emotet operators changed their game and reconfigured the banking trojan to work as a “loader” malware, which essentially means it could install additional malware on computers it has infected. The malicious actors behind Emotet managed to create a vast network of infected computer (in other words, a botnet), access to which could be purchased by other cyber criminals to push their own malware. One famous client of Emotet is the Ryuk gang, who rented access to infected computers to push their ransomware. Emotet operators offering it as a malware-as-a-service (MaaS) is precisely why it’s such a dangerous piece of malware, and why its takedown is so significant. According to Dutch authorities, it is estimated that Emotet has caused hundreds of millions of dollars in damages.

Emotet operators were using infected email attachments as the primary method of distribution for the malware. The emails either linked to a malicious Word document or had it attached to the email as an attachment. All users had to do to infect their computers is open the malicious document and enable macros, which would then install Emotet malware onto the computer. The attachments were commonly disguised as invoices, receipts, shipping notices, and more recently – information about COVID-19.

Once a computer is infected, it becomes part of the Emotet botnet. Emotet could then deliver malicious payloads and install other malware. For example, the Ryuk ransomware. As Europol notes in its press release, anti-virus programs may have a difficult time detecting Emotet because of its polymorphic nature, which means it changes its code every time it’s called up.

Dutch authorities will deliver an Emotet update that will remove the malware from infected computers

According to Europol, Emotet’s infrastructure involved several hundreds of servers scattered all over the world. The sheer amount of servers and their different functionalities made Emotet more resilient to takedown attempts.

“The infrastructure that was used by EMOTET involved several hundreds of servers located across the world, all of these having different functionalities in order to manage the computers of the infected victims, to spread to new ones, to serve other criminal groups, and to ultimately make the network more resilient against takedown attempts,” Europol said in the press release.

Law enforcement agencies and judicial authorities were able to gain control of the infrastructure, which allowed them to take down Emotet from the inside. Europol says infected devices have been redirected to the infrastructure controlled by law enforcement.

According to ZDNet, law enforcement officials in the Netherlands are planning on delivering an Emotet update that will remove the malware from infected computers. The update should be released on March 25, 2021.

Emotet’s two primary command and control (C&C) servers were located in the Netherlands, and Dutch authorities were able to seize a significant amount of data from the botnet. The data includes email addresses, usernames, and passwords. People can visit the Dutch National Police website to check whether their email addresses are present in the seized data. The Dutch police warn that if a person’s email address is found in the seized data, that likely means that their computer is infected with Emotet and possibly other malware.