Thu | Jan 28, 2021 | 3:15 AM PST

International law enforcement and judicial authorities have been able to take control of the infrastructure of EMOTET, one of the most impactful botnets in the last decade.

This is the result of a collaborative effort between many countries, including the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada, and Ukraine.

Europol discussed the law enforcement strategy for disrupting EMOTET's infrastructure, which included several hundreds of servers around the world.

"To severely disrupt the EMOTET infrastructure, law enforcement teamed up together to create an effective operational strategy. It resulted in this week’s action whereby law enforcement and judicial authorities gained control of the infrastructure and took it down from the inside.

The infected machines of victims have been redirected towards this law enforcement-controlled infrastructure. This is a unique and new approach to effectively disrupt the activities of the facilitators of cybercrime."

EMOTET's history and effectiveness 

EMOTET gained notoriety for being one of the most professional and longest lasting cybercrime services to exist.

In 2014, it was first found to be a banking trojan, but quickly evolved into a perfect solution for cybercriminals everywhere. It basically works as a primary door opener for computer systems on a global scale. As soon as unauthorized access had been established, it would be sold to other criminals so they could commit crimes like data theft and extortion through ransomware.

One way that EMOTET was so effective was due to its ability to spread via Microsoft Word documents. Europol says the EMOTET group was able to take email as an attack vector to the next level:

"Through a fully automated process, EMOTET malware was delivered to the victims' computers via infected email attachments. A variety of different lures were used to trick unsuspecting users into opening these malicious attachments. In the past, EMOTET email campaigns have also been presented as invoices, shipping notices, and information about COVID-19. 

All these emails contained malicious Word documents, either attached to the email itself or downloadable by clicking on a link within the email itself. Once a user opened one of these documents, they could be prompted to 'enable macros' so that the malicious code hidden in the Word file could run and install EMOTET malware on a victim's computer."

EMOTET as an attack for hire

Europol also stresses that EMOTET was so much more than just malware.

EMOTET was dangerous because it followed a malware-as-a-service model and was often sold to other cybercriminals for the purpose of installing different types of malware, like banking trojans or ransomware. This is known as a "loader" attack.

It was also one of the most resilient malwares out there because of its unique way of infecting networks by spreading the threat laterally after gaining access to only a couple devices.

Europol also says EMOTET is known to be one of the biggest players in the cybercrime world that benefitted other players such as TrickBot and Ryuk tremendously.

Cybersecurity professionals praise EMOTET takedown

The news of EMOTET's infrastructure being disrupted through the collaborative efforts of authorities around the world is being praised by those that have had to deal with the headache EMOTET can cause.

Chris Morales, head of security analytics at Vectra, shared his thoughts regarding EMOTET no longer being the threat it used to be.

"EMOTET was large and far reaching. What is impressive, yet concerning, is how it has persisted for so long. That stability and length of time is what has made EMOTET so lucrative and widely adopted by other criminal organizations. There will be an immediate impact. Crime organizations operate based on a cost and efficiency model much like any legitimate organization.

Taking down EMOTET is the equivalent of taking down an AWS or Azure major datacenter. The immediate impact would be felt, but eventually organizations leveraging that infrastructure would look to move services elsewhere, including potentially internally managed. This could take some time depending on the capabilities and funding of the organizations leveraging that infrastructure.

The good news is I see signs of law enforcement learning how to better coordinate global efforts to respond to what are international threats. This is a good start of what I hope to be a long and ongoing collaboration in targeting these type of organizations that can operate beyond any specific countries' borders.”

The threat of EMOTET has been removed for now, but will it be gone forever? Brandon Hoffman, Chief Information Security Officer at Netenrich, is hesitant to think this threat has disappeared permanently. 

"This is a great accomplishment that has been sorely needed. Unfortunately, with something like EMOTET, which has been running so long and embedded so deeply in the cybercrime underground toolkit, it is hard to consider it gone forever.

Certainly, the people who operated EMOTET, as well as the developers of it, will find a way to recover remnants of it and repurpose it into a new version. While the name EMOTET may no longer be used, we should assume core pieces will live on through other tools and methods."

Mitigations to loader attacks

Europol warns that a lot of botnets like EMOTET are polymorphic in nature, meaning it will change its code each time it is used. 

Most antivirus programs look for known malware codes, making a code change difficult to be detected. 

Europol says that a "combination of both updated cybersecurity tools (antivirus and operating systems) and cybersecurity awareness is essential to avoid falling victim to sophisticated botnets like EMOTET."

It emphasized the value of security awareness, because that can help end-users understand what these attacks can look like and avoid opening any unusual or suspicious emails in the first place.