Law enforcement agencies dismantled from as many as eight infrastructure countries Emotet, a notorious Windows-based email malicious software behind several botnet-driven spam campaigns and ransomware attacks over the past decade.
Joined Takedown of the botnet on Tuesday – voiceover “Operation Ladybird“- is the result of a joint effort between authorities in the Netherlands, Germany, the United States, the United States, France, Lithuania, Canada, and Ukraine to control servers used to run and maintain the malicious software network.
“Basically, Emotet’s infrastructure acted as the main door opener for global-scale computer systems,” Europol said. “What made Emotet so dangerous is that the malicious software was offered for hire to other cybercriminals to install other types of malware, such as Trojans banking or ransomware, on a victim’s computer.”
More Than Malware
Since its initial identification in 2014, Emotet has evolved from its initial roots as a credible stealer and Trojan banking to a powerful “Swiss Army knife” that can serve as a downloader, information stealer, and spambot depending on how it is used.
Known for its ongoing development, the cyber-crime service regularly updates itself to improve stealth, perseverance, and add new spyware capabilities through a wide range of modules, including a recently added Wi-Fi spreader to identify and compromise fresh victims associated with nearby. Wi-Fi networks.
Last year, the malicious software was linked to several botnet-driven spam campaigns and was even able to provide more dangerous payloads like TrickBot and Ryuk ransomware by renting its botnet from compromised machines to other malicious software groups.
“The Emotet group managed to take email as an attack vector to the next level,” Europol said.
700 Emotet Servers were confiscated
The US National Crime Agency (NCA) said the operation took nearly two years to map Emotet’s infrastructure, with multiple properties in the Ukrainian city of Kharkiv plundering to seize computer equipment used by the hackers.
The Ukrainian Cyberpolice Department also arrested two individuals allegedly involved in the maintenance of the botnet infrastructure, both of whom face 12 years in prison if convicted.
“An analysis of accounts used by the group behind Emotet showed that $ 10.5 million was moved over a two-year period on just one Virtual Currency platform,” the NCA said, adding that “nearly $ 500,000 spent by the group over the same period to maintain its criminal infrastructure. “
Globally, Emotet-related damages are said to have cost about $ 2.5 billion, Ukrainian authorities said.
With at least 700 servers operated by Emotet worldwide now removed from the inside, machines infected by the malicious software are about to be routed to this law enforcement infrastructure, by prevent further exploitation.
In addition, the Dutch National Police has released a tool to check for a possible compromise, based on a dataset containing 600,000 email addresses, usernames and passwords identified during the operation.
Emotet to Be Wiped En Masse on April 25, 2021
The Dutch police, who seized two central servers based in the country, said they had used a software update to effectively neutralize the threat posed by Emotet.
“All infected computer systems will automatically restore the update there, after which the Emotet infection will be quarantined,” the agency said. According to a tweet from a security researcher who goes to the Twitter link milk flow, Emotet is expected to be dried on April 25, 2021, at 12:00 local time of all machines threatened.
Consistent with the findings, Malwarebytes researchers said that the payload to remove the malicious software (“EmotetLoader.dll”) will be pushed through the same channels used to distribute the original Emotet, with the uninstaller removes the service associated with the malware and its Registry autorun key.
The April deadline also means that the update does not completely prevent Emotet (“X.dll”) from being installed on a system. But with the command and control servers now submerged and under the control of law enforcement, the malicious software will be stymied in its efforts to download further modules to the infected host.
“The long delay for the cleanup routine to activate may be explained by the need to give system administrators time to analyze forensics and check for other infections,” said the Malwarebytes Threat Intelligence Team.
Given the nature of the takedown operation, it remains to be seen whether Emotet can stage a return. If it is, this would not be the first time a botnet has survived major disruption efforts.
In writing, Feodo Tracker Abuse.ch shows that at least 20 Emotet servers are still online.
“A combination of the updated cybersecurity tools (anti-virus and operating systems) and cybersecurity awareness is essential to avoid becoming the victims of sophisticated botnets like Emotet,” Europol warned.
“Users should check their email carefully and avoid opening messages and especially attachments from anonymous sender. If a message seems too good to be true, emails that suggest a of all urgency. “