Emotet botnet disrupted after global takedown operation

[mood]

Emotet botnet disrupted after global takedown operation

 

 

The infrastructure of today's most dangerous botnet built by cybercriminals using the Emotet malware was taken down following an international coordinated action coordinated by Europol and Eurojust.

 

The joint effort between law enforcement agencies and authorities from Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada, and Ukraine allowed investigators to take control of the botnet's servers and disrupt the malware's operation.

 

Following a global investigative effort, judicial authorities and law enforcement took down the botnet's whole infrastructure from the inside after gaining control of its servers earlier this week.

"The infrastructure that was used by EMOTET involved several hundreds of servers located across the world, all of these having different functionalities in order to manage the computers of the infected victims, to spread to new ones, to serve other criminal groups, and to ultimately make the network more resilient against takedown attempts," Europol explained.

"The infected machines of victims have been redirected towards this law enforcement-controlled infrastructure. This is a unique and new approach to effectively disrupt the activities of the facilitators of cybercrime."

 

You can check if your e-mail address has been compromised by Emotet and used to deliver malicious emails using this Dutch National Police portal.

 

This portal will help you search through a database of e-mail addresses, usernames, and passwords stolen by Emotet and found earlier this week by the Dutch National Police during the criminal investigation that led to the botnet's disruption.

 

Image: Europol

Today's largest and most dangerous botnet

The Emotet malware was first spotted as a banking Trojan in 2014 and it has evolved into a botnet used by the TA542 threat group (aka Mummy Spider) to deploy second-stage malware payloads.

 

Emotet drops QakBot and Trickbot (which in turn deploy both Ryuk and Conti ransomware) trojan payloads on victims' compromised computers.

"The EMOTET infrastructure essentially acted as a primary door opener for computer systems on a global scale," Europol added.

"Once this unauthorised access was established, these were sold to other top-level criminal groups to deploy further illicit activities such data theft and extortion through ransomware."

 

Following a break of more than a month, the Emotet botnet was revived on December 21sts [1, 2], with Microsoft spotting a campaign delivering "a wide range of lures in massive volumes of emails, the use of fake replies or forwarded emails, password-protected archive attachments."

 

Before this short break, Emotet has targeted US state and local governments in potentially targeted campaigns according to an October DHS-CISA advisory.

 

The highly active Trickbot botnet was also partially and temporarily disrupted following a joint operation in October 2020.

 

Bye-bye botnets Huge global operation brings down the world's most dangerous malware.

 

Investigators have taken control of the Emotet botnet, the most resilient malware in the wild.

 

Get the full story: https://t.co/NMrBqmhMIf pic.twitter.com/K28A6ixxuM

 

— Europol (@Europol) January 27, 2021

 

 

Source: Emotet botnet disrupted after global takedown operation

[aum]

Credit: CC0 Public Domain

 

Law enforcement authorities in several countries have joined forces to disrupt what they call one of the world's most dangerous pieces of malware, one that allowed criminal gangs to install ransomware and steal data from computer users.

 

European Union police and judicial agencies Europol and Eurojust said Wednesday that investigators took control of infrastructure behind a botnet called EMOTET. A botnet is a network of hijacked computers used to carry out cyberattacks.

 

Authorities in the Netherlands, Germany, the United States, the U.K., France, Lithuania, Canada and Ukraine took part in the international operation coordinated by the two Hague-based agencies.

 

Dutch prosecutors said the malware was first discovered in 2014 and "evolved into the go-to solution for cybercriminals over the years. The EMOTET infrastructure essentially acted as a primary door opener for computer systems on a global scale."

 

The Dutch prosecutors said two of the main servers for the infrastructure were based in the Netherlands and a third in another undisclosed country. The national prosecutor's office said the damage caused by EMOTET runs into the hundreds of millions of euros (dollars).

 

The malicious software was delivered to computers in infected email attachments containing Word documents.

 

"A variety of different lures were used to trick unsuspecting users into opening these malicious attachments," Dutch prosecutors said in a statement. "In the past, EMOTET email campaigns have also been presented as invoices, shipping notices and information about COVID-19."

 

Europol said law enforcement agencies teamed up to take down the criminal infrastructure from the inside.

 

"The infected machines of victims have been redirected towards this law enforcement-controlled infrastructure," the agency said. "This is a unique and new approach to effectively disrupt the activities of the facilitators of cybercrime."

 

The operation was not the first time that cybercrime fighters have infiltrated illicit computer operations, In 2017, police shut down the world's leading "darknet" marketplace—then Dutch police quietly seized a second bazaar to amass intelligence on illicit drug merchants and buyers.

 

Source

[mood]

Command 'n' control botnet of notorious Emotet Windows ransomware shut down in multinational police raid

Europol-led op knocks 700 servers offline

 

EU police agency Europol has boasted of taking down the main botnet powering the Emotet trojan-cum-malware dropper, as part of a multinational police operation that included raids on the alleged operators’ homes in the Ukraine.

“To severely disrupt the EMOTET infrastructure, law enforcement teamed up together to create an effective operational strategy. It resulted in this week’s action whereby law enforcement and judicial authorities gained control of the infrastructure and took it down from the inside,” said Europol in a jubilant statement this afternoon.

 

Police forces from the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine all took part in the takedown.

“Analysis of accounts used by the group behind Emotet showed $10.5m being moved over a two-year period on just one Virtual Currency platform,” said Britain’s National Crime Agency, which added: “NCA investigators were able to identify that almost $500,000 had been spent by the group over the same period to maintain its criminal infrastructure.”

 

Ukrainian police published a remarkable YouTube video this afternoon, entirely in Ukrainian, showing a raid on an alleged operator’s home. The video shows dusty PCs and servers, large numbers of hard drives and (at about 1m50s) what looks like miniature gold bars.

 

 

What is Emotet and why is this a big deal?

Emotet is a frustratingly persistent email-delivered malware dropper aimed at Windows machines. Intended targets are bombarded with emails containing Word documents as attachments. Once the mark is fooled into opening the attachment (typical lure themes include information about topical news such as COVID-19 statistics, supplier invoices and bank letters) and running macros embedded within it, the malware is deployed.

 

Originally Emotet itself was used for stealing online banking credentials, though later evolutions of it focused more on its ability to infect targets’ computers with any given malware.

 

The malware’s moneymaking potential hinged on that so-called dropper functionality: the criminals behind Emotet could rent it out to other malware or ransomware gangs. A common payload was Trickbot, another banking trojan – which occasionally dropped the Ryuk ransomware.

 

Basically, Emotet was behind an awful lot of online badness – and if, as Britain’s NCA claimed, 700 of its command-and-control servers have been taken down, that should make a big dent in malware and ransomware infections.

 

Nigel Leary, deputy director of the NCA’s National Cyber Crime Unit, said in a statement: “Emotet was instrumental in some of the worst cyber attacks in recent times and enabled up to 70 per cent of the world’s malwares, including the likes of Trickbot and RYUK, which have had significant economic impact on UK businesses.

Good news for Emotet’s victims - you can see if you were infected

The Abuse.ch online malware tracker showed very few known Emotet (aka Heodo, as that site calls the malware) nodes remaining online in the wake of the raids.

 

Europol also said the raids had resulted in innocent victims already infected with Emotet having those infections neutralised through police gaining control of the crims’ C2 infrastructure, explaining: "The infected machines of victims have been redirected towards this law enforcement-controlled infrastructure. This is a unique and new approach to effectively disrupt the activities of the facilitators of cybercrime."

 

Dutch police published an Emotet email address checker (the page contains an English translation a few paragraphs in) so potential victims can check if they were known to have been infected by the nasty. This service appears to be powered by a seized list of email addresses known to the criminals behind the malware.

 

Professor Alan Woodward of the University of Surrey told The Register: "Europol were at the centre coordinating and just like the swoop on Encrochat, this was another big blow to criminals using the internet to cause harm."

 

Alan Grau, VP of IoT and embedded solutions at Sectigo, said of the takedown: "The demise of Emotet will be welcomed in many quarters, but there is no doubt that malicious actors will be developing new variants to fill the vacuum. As such, email security practices, especially in light of remote work, are more important than ever.

"To protect against these ongoing attacks, enterprises must continue to train users on how to avoid phishing attacks. It is also critical to implement strong email security. Zero-touch deployment S/MIME email certificates automatically update the security profile of the email communication by authenticating the sender, encrypting the email content and attachment, and ensuring integrity."

 

Jordan LaRose, managing consultant at F-Secure, told The Reg: "Emotet has been a perennial enemy of businesses and cybersecurity practices alike for years now, and has contributed to some of the worst incidents we've ever seen.

"One of the most difficult aspects of incident response, and combating malware at large, is taking action against attackers who are able to act anonymously and largely without penalty due to the diplomatic implications of retaliation against them. This is never more true than with a botnet like Emotet that has infrastructure distributed among countries all over the world.

 

LaRose added: "While it is likely that other attackers will rise to fill the void left by Emotet, this investigation should serve as a warning to all other malware groups that distributed attack strategies won't protect them forever."

 

Criminal charges and prosecutions will doubtless follow from the raids.

 

 

Source: Command 'n' control botnet of notorious Emotet Windows ransomware shut down in multinational police raid

[Karlston]

Similar topics merged.