An international group of law enforcement officials, including the U.S. Department of Justice and Europol, have announced a large operation to take down the infrastructure of the malware and botnet Emotet.
European authorities on Tuesday said they seized control of Emotet, one of the most notorious distributors of malware and hacking-as-a-service operations that has affected millions of Microsoft Windows systems.
The takedown included actions in the U.S., Canada, France, Germany, the Netherlands, U.K., and officials in Lithuania, Sweden and Ukraine assisted in the action, according to the DOJ.
The action required the cooperation of a large multinational group because Emotet’s infrastructure included several hundreds of servers located across the world, each with different functions and capabilities that helped manage the computers of infected victims, spread to new ones, serve other criminal groups and make the network more resilient against takedown attempts, according to European law enforcement agency Europol.
Law enforcement officials were able to gain access to Emotet servers located overseas and identified the IP addresses of about 1.6 million computers that appear to have been infected by Emotet between April 1, 2020 and jan. 17, 2021. More than 45,000 of those were located in the U.S.
In a statement, Europol describes Emotet as one of the most dangerous and sophisticated malware operations in the world.
EMOTET has been one of the most professional and long lasting cybercrime services out there. First discovered as a banking Trojan in 2014, the malware evolved into the go-to solution for cybercriminals over the years. The EMOTET infrastructure essentially acted as a primary door opener for computer systems on a global scale. Once this unauthorised access was established, these were sold to other top-level criminal groups to deploy further illicit activities such data theft and extortion through ransomware.
The Emotet actors used email as an attack vector, utilizing an automated process that delivered malware to victim endpoints via infected email attachments.
These malicious attachments purported to be invoices, shipping notices and information about COVID-19, according to Europol.
Bye-bye botnets👋 Huge global operation brings down the world’s most dangerous malware.
Investigators have taken control of the Emotet botnet, the most resilient malware in the wild.
Get the full story: https://t.co/NMrBqmhMIf pic.twitter.com/K28A6ixxuM
— Europol (@Europol) January 27, 2021
Once those files were opened, they were prompted to “enable macros” that enabled malicious code hidden in the file to install Emotet on the device.
However, what made the malware even more dangerous was that the group behind Emotet offered the malware for hire to other bad actors, which resulted in banking Trojans and ransomware on victim devices.
“This type of attack is called a ‘loader’ operation, and EMOTET is said to be one of the biggest players in the cybercrime world as other malware operators like TrickBot and Ryuk have benefited from it,” Europol said.
Emotet’s victims are numerous, including a school district in North Carolina that had to pay $1.4 million to mitigate an Emotet infection that damaged the school’s computers and disabled the school’s network for two weeks, according to the DOJ.
The U.S. Cybersecurity and Infrastructure Agency estimates that Emotet infections have cost local, state, tribal and territorial governments up to $1 million per incident to mitigate.
According to the DOJ, the FBI and foreign counterparts replaced Emotet malware on servers with files created by law enforcement.
This was done with the intent that computers in the United States and elsewhere that were infected by the Emotet malware would download the law enforcement file during an already-programmed Emotet update. The law enforcement file prevents the administrators of the Emotet botnet from further communicating with infected computers. The law enforcement file does not remediate other malware that was already installed on the infected computer through Emotet; instead, it is designed to prevent additional malware from being installed on the infected computer by untethering the victim computer from the botnet.
According to officials, law enforcement identified more than 20 U.S.-based hosting providers that hosted more than 45 IP compromised IP addresses associated with Emotet.
U.S. officials notified authorities in more than 50 other countries that hosting providers in their jurisdictions hosted hundreds of compromised IP addresses.
For more information and technical details, read this October 2020 report from CISA. The Dutch National Police have also created a website to check whether your email address has been compromised by Emotet.
Leave a Reply