Law enforcement agencies from several countries collaborated in a joint operation that resulted in taking over the command-and-control infrastructure behind Emotet, one of the world's largest botnets. Whether this disruption to the botnet will be permanent remains to be seen, but it's a promising development according to security experts.
"This operation is the result of a collaborative effort between authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust," Europol announced Wednesday. "This operation was carried out in the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT)."
What is Emotet?
Emotet has been in operation since 2014 and over the past months has been the most commonly detected malware family by security products. The program started out as a Trojan program focused on the theft of online banking credentials, but over time evolved into a malware-as-service platform that was used by other cybercriminal groups to deploy their own malware or gain access to infected computers.
Emotet is run by a group tracked in the security industry as TA542 and one of its main customers was the group behind TrickBot, another botnet that was known for distributing the notorious Ryuk ransomware.
The Emotet / TrickBot / Ryuk relationship is well known in the security industry and organisations have been repeatedly warned to take Emotet and TrickBot infections on their networks seriously because they are a precursor to ransomware.
TrickBot command-and-control servers were targeted in a separate Microsoft-led industry takedown operation in October, but the botnet is not completely dead and new TrickBot samples continued to be distributed by Emotet after Microsoft's action. Other cybercrime gangs that use other malware programs, for example Qbot, also rely on Emotet for distribution.
Emotet itself is primarily distributed through spam emails that use social engineering to trick users into opening Word documents with malicious macros, rogue PDF files or URLs that lead to infected Word files. TA542 spam campaigns use generic lures such as invoices and other financial documents, but also try to exploit global or regional events such as the COVID-19 pandemic.
The group uses advanced techniques to increase its chances of success, such as threat hijacking, where emails pose as replies to legitimate conversations the Trojan stole from infected computers, or addressing the recipients by their real name and including their job titles and company names in the subject.
According to Vinay Pidathala, director of security research at Menlo Security, Emotet was the most prevalent malware observed in 2020 and the latest identified Emotet samples in the company's global cloud date January 2.
The Emotet takedown
According to Europol, Emotet's infrastructure consisted of several hundred servers located across the world and serving different purposes, including making the botnet more resilient to takeover attempts. Law enforcement agencies had to work together to develop a strategy that involved gaining control of the infrastructure from the inside and redirecting victims to servers under their own control.
As part of the investigation, the Dutch National Police seized data from the servers used by Emotet, including a list of stolen email credentials abused by the botnet. The agency set up a web page where users can check if their email address was among those affected. The information about infected computers that was gathered during the operation was also shared with national CERTs so the victims can be identified and contacted.
"Only time will tell if the takedown will have long-term impact to Emotet operations," Jason Passwaters, COO of security firm Intel 471, tells CSO.
"These groups are sophisticated and will have baked in some sort of recovery. Emotet itself does not appear to have any sort of inherent recovery mechanism, but a lot of the infected machines will have other malware installed as well, such as Qbot, Trickbot or something else. This could act as a way to recover those infected bots and pull them back under their control."
According to Passwaters, members of these cybercrime groups are spread across the world in different jurisdictions and even if some of them are caught and forced to cooperate with law enforcement, others can use the source code to attempt to rebuild the botnet. However, such efforts to launch a new Emotet-based botnet shouldn't be hard to detect for security vendors.
Based on information Intel 471 has, the law enforcement operation took place January 26 and also resulted in the arrest of several Ukrainian nationals who were responsible for running the botnet infrastructure.
"This is a very promising event," Passwaters said. "All of those country flags on the announcement perfectly sum up what is required to have any real impact on these organised cyber crime groups and operations. I'm particularly encouraged to see the efforts in Ukraine.
"Historically corruption and other limiting factors have stood in the way of impactful LE action in Ukraine, but it's really good to see them at the forefront given they are in many ways ground zero for organised cyber crime. The difference between 'disruption' and 'takedown' boils down to criminals being put in handcuffs. It's the pinnacle of a takedown operation and the only way you'll have long term impact."
"We are yet to see an instance where Emotet utilised anything other than compromised websites to host malware while maintaining the actual servers for the botnet under direct control to send instructions to infected machines," Josh Smith, security analyst at Nuspire," tells CSO. "Emotet operators have taken a significant financial blow now that their infrastructure is offline. It remains unknown if the operators will attempt to rebuild, but this is certainly possible. Emotet operators could also look at working with another botnet to distribute the malware."
Even if this turns out to be the death of Emotet, other botnet operators will rush to fill the void and serve TA542's former customers, as this is usually what happens in the cybercrime ecosystem when a big player goes down.
"We need to be cautious; threat actors are becoming smarter and better every single day," Francisco Donoso, director of global security strategy at Kudelski Security, tells CSO.
"Every time this occurs, they will learn what technical (or likely operational) security steps they could have taken to reduce the risk of getting caught. There are significant resources being spent on both sides of this 'battle' and the criminals will continue to see value in building such botnets, as we are talking about a multi-billion-dollar industry."