This week, law enforcement and judicial authorities around the world have dismantled one of the most important botnets of the last decade: EMOTET. Researchers have now taken on infrastructure management in internationally coordinated action.
This work is the result of cooperation between the authorities of the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine with international activities coordinated by Europol and Eurojust. This operation was carried out in the framework of the European Multidisciplinary Forum on Crime Threats (EMPACT).
EMOTET has been one of the most professional and long-standing cybercrimes. Malicious software was first discovered as a bank trojan in 2014, and it evolved into a solution for cybercriminals over the years. The EMOTET infrastructure acted primarily as the primary door opener for global information systems. When this unauthorized access was detected, they were sold to other high-level criminal groups to spread illegal activities such as data theft and extortion through ransom programs.
Spread through a Word document
The EMOTET team managed to take email as an attack vector to the next level. Through a fully automated process, the EMOTET malware was delivered to the victims ’computers via infected attachments. Several decoys were used to trick unsuspecting users into opening these malicious attachments. In the past, EMOTET e-mail campaigns have also been presented as invoices, broadcast messages and COVID-19 information.
All of these emails contained malicious Word documents, either linked to the email itself or downloaded by clicking a link in the email itself. When a user opened one of these documents, they were prompted to “enable macros” so that malware hidden in a Word file could execute and install malicious EMOTET code on the victim’s computer.
Attack for rent
EMOTE was much more than just malicious code. What made EMOTET so dangerous was that other cybercriminals were offered malware to install other types of malware, such as bank trojans or ransomware, on the victim’s computer.
This type of attack is called a “download operation,” and EMOTET is said to be one of the largest players in the world of cybercrime because other malware operators, such as TrickBot and Ryuk, have taken advantage of it.
The unique way of infecting networks by spreading the threat sideways when there are only a few devices on the network made it one of the most flexible malware in nature.
Disruption of EMOTET infrastructure
The infrastructure used by EMOTET had hundreds of servers around the world, all with different functions to manage computers from infected victims, from distribution to new ones, to serving other criminal groups, and finally to improving the network for dismantling companies.
In order to seriously disrupt the EAGGF infrastructure, law enforcement authorities jointly developed an effective operational strategy. This led to this week’s activity where law enforcement and judicial authorities took control of the infrastructure and took it down from within. The infected machines of the victims have been directed to this infrastructure controlled by the police. This is a unique and new way to effectively disrupt cybercrime brokers.