Emotet: the Heavyweight of Botnets Knocked Out?

An international police operation involving France targeted Emotet. Has the "star" botnet lived through its last hours?

Is it over with Emotet? Europol wants to believe it at the end of an operation that involved the police forces of eight countries including France.

Bye-bye botnets👋 Huge global operation brings down the world's most dangerous malware.

Investigators have taken control of the Emotet botnet, the most resilient malware in the wild.

Get the full story: https://t.co/NMrBqmhMIf pic.twitter.com/K28A6ixxuM

— Europol (@Europol) January 27, 2021

The process culminated on January 26, with searches and arrests in Ukraine. This was where the supposed epicenter of this botnet was, about which CERT-FR had recently issued an alert.

The “Emotet family” emerged in 2014. It includes several variants of the Feodo banking trojan, itself a close relative of Dridex *.

Emotet-TrickBot-Ryuk: a well-known channel

Over the years, the attribute “Trojan horse” has remained. But with expanded capabilities ranging from hacking mailboxes to spreading within infected networks.

Emotet has also become a distribution medium for other malware. Notably TrickBot, itself a vector for the propagation of the Ryuk ransomware.

The first versions of Emotet were based on a script attached to e-mails imitating payment advice, invoice reminders, or even parcel tracking notifications. The sources of infection have gradually diversified, in particular through the use of macros in the software of the Office suite.

In order not to arouse the suspicions of his targets, Emotet interferes in the conversations they have had in the past. Capable of detecting VMs and sandboxes, it is also polymorphic. That is, it can change its representation to escape signature-based detections. Windows registry and task scheduler allow it to establish persistence on infected systems.

As Solorigate continues to be the top security topic, it’s business as usual for some cybercrime operations. After being seen in short-lived campaigns before Christmas, Emotet is back this week in a new campaign that uses various lures, including, oddly, "Christmas Party".

— Microsoft Security Intelligence (@MsftSecIntel) December 29, 2020

$ 2.5 billion in damage?

The architecture of Emotet consisted of three groups of servers (Epoch 1, 2, and 3). The operation coordinated by Europol would have taken about 700 offline.

Protect your device completely with total security software

The activity has indeed declined if we are to believe the statistics of abuse.ch. However, it has not quite ceased ... partly due to the police force. At the initiative of Germany, they began to use the infrastructure to distribute a module to infected computers. This module will lead to the uninstallation of Emotet on March 25th.

According to NCA estimates, annual infrastructure maintenance costs may have amounted to $ 250,000. On the side of the Ukrainian security forces, the total amount of damage is estimated at 2.5 billion dollars.