With coordinated efforts, international law enforcement agencies have managed to take down the world’s most dangerous malware botnet.
Europol along with other agencies claim that their coordinated action resulted investigators taking control of the infrastructure controlling Emotet, which in one of the most significant disruptions of cyber-criminal operations in the past decade. Officials said that they have now taken control of its infrastructure.
Emotet is infamous for being most professional and long lasting cybercrime services. It was first discovered as a banking Trojan in 2014 but since then the malware evolved into the go-to solution for cybercriminals over the years.
Explaining the magnitude of nuisance created by the botnet officer said Emotet infrastructure essentially acted as a primary door opener for computer systems on a global scale. Once this unauthorised access was established, these were sold to other top-level criminal groups to deploy further illicit activities such data theft and extortion through ransomware.
Spread via Word documents
“The Emotet group managed to take email as an attack vector to a next level. Through a fully automated process, Emotet malware was delivered to the victims’ computers via infected e-mail attachments. A variety of different lures were used to trick unsuspecting users into opening these malicious attachments,” Europol said in their statement.
It added that in the past, Emotet email campaigns have also been presented as invoices, shipping notices and information about COVID-19.
All these emails contained malicious Word documents, either attached to the email itself or downloadable by clicking on a link within the email itself. Once a user opened one of these documents, they could be prompted to “enable macros” so that the malicious code hidden in the Word file could run and install EMOTET malware on a victim’s computer.
Attacks for hire
Those behind the Emotet lease their army of infected machines out to other cyber criminals as a gateway for additional malware attacks, including remote access tools (RATs) and ransomware.
Explaining what made Emotet so dangerous an officer said “the malware was offered for hire to other cybercriminals to install other types of malware, such as banking Trojans or ransomwares, onto a victim’s computer.”
This type of attack is called a ‘loader’ operation, and Emotet is said to be one of the biggest players in the cybercrime world as other malware operators like TrickBot and Ryuk have benefited from it.
Its unique way of infecting networks by spreading the threat laterally after gaining access to just a few devices in the network made it one of the most resilient malware in the wild.
Disruption of Emotet’s infrastructure
The infrastructure that was used by Emotet involved several hundreds of servers located across the world, all of these having different functionalities in order to manage the computers of the infected victims, to spread to new ones, to serve other criminal groups, and to ultimately make the network more resilient against takedown attempts.
To severely disrupt the Emotet infrastructure, law enforcement teamed up together to create an effective operational strategy. It resulted in this week’s action whereby law enforcement and judicial authorities gained control of the infrastructure and took it down from the inside.
This operation is the result of a collaborative effort between authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust. This operation was carried out in the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT).
Law enforcement agencies that were involved in global action:
Netherlands: National Police (Politie), National Public Prosecution Office (Landelijk Parket)
Germany: Federal Criminal Police (Bundeskriminalamt), General Public Prosecutor’s Office Frankfurt/Main (Generalstaatsanwaltschaft)
France: National Police (Police Nationale), Judicial Court of Paris (Tribunal Judiciaire de Paris)
Lithuania: Lithuanian Criminal Police Bureau (Lietuvos kriminalinės policijos biuras), Prosecutor’s General’s Office of Lithuania
Canada: Royal Canadian Mounted Police
United States: Federal Bureau of Investigation, U.S. Department of Justice, US Attorney’s Office for the Middle District of North Carolina
United Kingdom: National Crime Agency, Crown Prosecution Service
Ukraine: National Police of Ukraine