International law enforcement and judicial authorities in eight countries have collaborated to dismantle the Emotet botnet, widely regarded as the world’s most dangerous and notorious malware operation.
Investigators in the U.S., U.K., Canada, France, Germany, Lithuania, the Netherlands and Ukraine, backed by Europol and Eurojust (European Agency for Criminal Justice Cooperation), collaborated to successfully commandeer Emotet’s infrastructure, Europol said. The operation was carried out in the framework of the European Multidisciplinary Platform Against Criminal Threats, a European Union initiative to fight organized and international crime.
Authorities said they gained control of Emotet’s infrastructure, which involved hundreds of servers located globally, by taking it down from the inside, redirecting the infected machines of victims to a law enforcement environment. “This is a unique and new approach to effectively disrupt the activities of the facilitators of cyber crime,” Europol said. Affected users will be notified via the network of Computer Emergency Response Teams globally.
“What makes Emotet particularly dangerous for organizations is that it has been the primary foothold for the future deployment of other banking trojans,” Sherrod DeGrippo, Proofpoint’s senior director of threat research and detection told The Hill. “Their campaign volume is typically large, as we usually observe hundreds of thousands of emails per day when Emotet is operating. Considering this appears to be a law enforcement action on the back end infrastructure of the Emotet botnet, this really could be the end,” DeGrippo said.
The malware, first discovered as a banking trojan in 2014, evolved to become the kingpin platform for cyber hijackers, sold as a service to smaller operatives and criminal groups as an access key to compromised systems vulnerable to data theft and ransomware extortion.
Some of Emotet’s virulent features include hijacking old email threads to personalize spear phishing attacks. The malware also has been used as a delivery mechanism for malware to steal sensitive information and extort money from victims. Other Emotet campaigns feature emails that contain a link to download a malicious Word file, and some house the malicious document itself. When users open the file, it lures them to enable the document’s macros, which then installs the Emotet malware on the victim’s computer. Some Emotet email campaigns have been disguised as invoices, shipping notices and, of late, information about COVID-19.
Emotet has topped Webroot’s list of the nastiest malware three years running, blaming it for most ransomware infections and linking it to TrickBot, Dridex, QakBot, Conti/Ryuk, BitPaymer and REvil-associated attacks. Watchguard listed it in its top 10 cyber attackers for Q3 2020.
To avoid an Emotet infection, users should use updated cybersecurity tools, improve their cybersecurity awareness and and avoid opening messages and attachments from unknown senders, Europol said.