The Emotet botnet, widely considered to be the most dangerous of its type in the world, has been dissolved as of April 25. An international law enforcement campaign that began in 2020 culminated in the infiltration and control of the botnet’s infrastructure, with a beneficial payload delivered to infected devices that scrubs the Emotet malware from their systems.
Emotet is thought to have infected about 1.6 million devices worldwide, with a global command-and-control system that spanned hundreds of servers. The criminals that previously controlled the botnet rented out access to compromised networks to other threat actors, primarily for ransomware campaigns and exfiltration of sensitive data.
Emotet malware battle spanned several continents
Called “Operation Ladybird,” the effort included law enforcement agencies from at least nine countries including Europol, the United States FBI, the United Kingdom’s National Crime Agency, and the Dutch National Police. It appears to have stemmed from a raid by police in the Ukraine, in which physical assets belonging to suspects associated with running the botnet were seized.
The Emotet malware had been running wild since 2014, first seen as a trojan targeting banking systems. Over the years, the hackers controlling it pivoted to using it as a crime-for-rent system as it racked up a large collection of compromised devices and illicit access to networks. Most of the criminals that made use of it engaged in broad phishing campaigns that leveraged the botnet to send out massive amounts of emails. These emails generally came with a malicious Word document that would compromise the target system when macros were enabled.
The law enforcement agencies were able to gain access to Emotet malware servers sometime after April 1, 2020 and worked to destroy the botnet from the inside through January 2021. The solution they ultimately came up with was to use the command-and-control system to push an update to infected devices that cleans Emotet from the system. While this breaks the connection with the Emotet botnet, it does not remove any additional malware that Emotet clients might have left on systems after purchasing access to them. Officials are anticipating that criminals will attempt to rebuild the Emotet malware network, but there will likely be an extended reprieve at the very least.
Law enforcement removes a substantial online threat
Pushing a background payload in order to disable the Emotet malware is a potentially problematic solution from a legal standpoint, but some law enforcement agencies (such as the US Department of Justice) are pointing out that their own government is not involved; the malware servers are now under the control of the German federal police agency. Ilia Kolochenko, Founder and Chief Architect for ImmuniWeb, points out that this sets a precedent that could potentially move in dangerous directions: “If viewed in as an isolated event, this is a laudable and highly successful operation of law enforcement. However, privacy advocates may sooner or later start questioning such anti-malware operations in cyberspace as potentially intrusive and unwarranted. There are also some chances that removal may damage the infected system due to some unforeseeable circumstances, such as unique or unusual configuration of the compromised machine. Where I see the risk is that hostile nation states may follow the US and EU example and deploy massive cleaning operations in the Internet that would be difficult to monitor and control. Attribution of hacking attacks, disguised as cleaning campaigns, will become almost impossible from technical and legal viewpoints.”
Malware researchers found that the update (a customized DLL file named “EmotetLoader.dllsent”) deletes Emotet’s autorun registry keys and associated Windows services but does not touch anything else on the device, including any other types of malware that might be present. The US has established some precedent for unauthorized law enforcement remote access for the purpose of malware removal, however; the FBI received a court order earlier this month allowing it to remotely remove web shells from Microsoft Exchange servers as part of the response to the email vulnerabilities discovered earlier this year. It was the first time that a US government or law enforcement agency had accessed private computer property for the purpose of malware remediation.
Emotet malware was persistent and lucrative
Over its lifetime, the Emotet malware is thought to have raked in $2 billion from victims. A report from Digital Shadows indicates that each attack is thought to have cost US government agencies about $1 million to remediate. It was highly effective in establishing long-term footholds in infected systems due to constantly changing and updating its code using polymorphic techniques to evade virus scanning software. But it was also quite popular for more quickly executed ransomware attacks; the Emotet infrastructure was a primary delivery vector in the Ryuk ransomware campaign that plagued organizations around the world in 2019 and 2020. Europol’s European Cybercrime Centre estimates that Emotet malware has been involved in 30% of attacks since 2019.
Law enforcement pushing a background payload to infected devices in order to disable the Emotet #malware is a potentially problematic solution from a legal standpoint. #cybersecurity #respectdata
Emotet was dormant from around the beginning of the coronavirus pandemic to mid-summer 2020, but came back strong in the latter half of the year. Since the Emotet malware will no longer receive updates from its command servers, antivirus systems will have a chance to catch up with it. But systems and networks that have been infected stand a good chance of harboring other forms of malware, given the focus on downloader capabilities and worm tools that spread it laterally within networks. And while it primarily attacks computers running Windows, these lateral capabilities mean that it may have hopped to mobile devices as well. In early 2020, a loader was discovered that indicated Emotet had added the ability to spread via WiFi networks that were unprotected or safeguarded with weak passwords vulnerable to dictionary attacks.