Europol has announced that following a global operation by law enforcement and judicial authorities, the Emotet botnet has been disrupted and law enforcement agencies have seized control of its infrastructure.
The takedown was planned for two years and involved Europol, Eurojust, the FBI, the Royal Canadian Mounted Police, the UK’s National Crime Agency, and law enforcement agencies in Ukraine, Netherlands, Germany, Lithuania, and France and one of the most significant botnet takedowns of the past decade.
Emotet started out as a banking Trojan in 2014 but has since been developed to act as a backdoor into computer systems and has grown to become one of the most prolific and dangerous botnets ever seen. Emotet was involved in some of the most damaging and costly cyberattacks of the past few years and was behind 30% of malware attacks.
The Emotet operation was highly professional and the gang took phishing to the next level. Emotet was primarily distributed using phishing emails with Word document attachments that used malicious macros to download the Emotet Trojan. A range of different lures were used to trick users into opening the attachment, or visiting a malicious hyperlink, including standard phishing lures such as fake invoices, shipping notices, and job applications, along with topical lures such as information about COVID-19.
The process was fully automated and once infected, email accounts would be hijacked and used to distribute copies of the Trojan to contacts, along with other techniques for moving laterally across the network. Emotet was dangerous in its own right but was also used to deliver dangerous payloads for other criminal operations.
Once infected with the Emotet Trojan, the compromised devices were added to the botnet and used to infect other devices. Access to the infected devices was sold to other cybercriminal groups who delivered banking Trojans, ransomware, and stole data. What started with an Emotet infection often resulted in the delivery of the TrickBot Trojan and ransomware such as Ryuk.
As with other botnets, the infrastructure was distributed across hundreds of servers worldwide, each of which performed different functions to manage the computers that had been infected with the Emotet Trojan and further distribute the malware. The takedown was challenging and had to be performed from the inside, and carefully coordinated to ensure servers were taken down simultaneously to hamper any efforts by the gang to reconstruct its infrastructure.
Europol explained that the investigation was both in-depth and innovative, and resulted in the entire infrastructure being mapped. There were three main servers used to control the operation, two of which were located in the Netherlands, which were seized by the Dutch National Police. The central servers in the Netherlands have had a software update installed which will be pushed out to all devices infected with the Emotet Trojan. The update will see the Trojan quarantined on those devices. That means the army of devices that comprised the botnet are now no longer under the control of the Emotet gang and cannot be used to distribute the Emotet Trojan.
The Dutch National Police have also obtained a copy of a list of usernames, passwords, and email addresses of compromised devices, which has been published here. The webpage can be used to check if an email address is present in the list, which will likely mean a device has been infected with Emotet.
Protecting against infection with polymorphic Trojans such as Emotet is difficult, as they are constantly changing. That makes it difficult for antivirus solutions to identify the new variants. To protect against these malware threats, antivirus software is important, but it is also necessary for businesses to ensure their employees receive training to help them identify the phishing emails that deliver the malware loaders, since the emails used to deliver the malware may not always be blocked by security solutions.