Law enforcement and judicial authorities have succeeded in disrupting one of the most significant botnets of the past decade: Emotet. Investigators have now taken control of its infrastructure in a coordinated international action.
Emotet was one of the most professional and long-lasting cybercrime services out there. First discovered as a banking Trojan in 2014, the malware evolved into a go-to solution for cybercriminals over the years. The Emotet infrastructure essentially acted as a primary door opener for computer systems on a global scale. Once this unauthorised access was established, it was sold to other top-level criminal groups who used it to deploy further illicit activities such as data theft and extortion.
The Emotet group managed to take email as an attack vector to the next level. Through a fully automated process, Emotet malware was delivered to victims’ computers via infected email attachments. A variety of different lures were used to trick users into opening these malicious attachments. In the past, Emotet email campaigns have also been presented as invoices, shipping notices and information about COVID-19.
All these emails contained malicious Word documents, either attached to the email itself or downloadable by clicking on a link within the email. Once a user opened one of these documents, they could be prompted to “enable macros” so that the malicious code hidden in the Word file could run and install Emotet malware on a victim’s computer.
Many botnets like Emotet are polymorphic. This means the malware changes its code each time it is used. Since many antivirus programmes scan the computer for known malware codes, a code change can make it harder to detect, allowing the infection to go initially unnoticed.
Thus, Emotet was much more than just simple malware. What made it so dangerous is that it was rented out to other cybercriminals who used it to install different types of malware, such as banking Trojans or ransomware, on a victim’s computer.
This type of attack is called a ‘loader’ operation, and given that other malware operators like TrickBot and Ryuk were able to benefit from it, Emotet was considered one of the most prominent players in the cybercrime world.
The infrastructure used by Emotet involved several hundreds of servers located all over the world. Each one had different functionalities designed to manage victims’ infected computers, spread the malware to new ones, serve other criminal groups, and, ultimately, make the network more resilient to takedown attempts.
To severely disrupt the Emotet infrastructure, law enforcement agencies teamed up to create an effective operational strategy. Eventually, law enforcement and judicial authorities gained control of the infrastructure and took it down from the inside. Victims’ infected machines were redirected towards this law enforcement-controlled infrastructure. This is a unique and new approach to effectively disrupting the activities of cybercriminals.
The operation was the result of a collaborative effort between authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust. It was carried out within the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT).