SpearTip | January 27th, 2021

Emotet, which may be considered the most infamous botnet, was taken down in an operation coordinated by Europol, the FBI, and the UK National Crime Agency. The botnet is estimated to include a million computer systems. A two-year plan was developed to disrupt Emotet’s operations called Operation LadyBird.

Operation LadyBird claimed two of Emotet’s primary command and control servers located in the Netherlands which allowed law enforcement to place software updates on the server and successfully remove infected endpoints from the Emotet botnet. It is also likely that access to these servers provided law enforcement the necessary source intel to identify the individuals behind the botnet.

According to Europol, the Public Prosecution Service and local police launched an investigation in July of 2019. “It is not yet known exactly how many people are involved. It is clear, however that the group is well organized and responds quickly to changing circumstances. This indicates how professional these criminal groups are.”

Europol published a press release today explaining how they used global action to make a substantial disturbance to Emotet’s infrastructure.

“Emotet has been one of the most professional and long lasting cybercrime services out there. First discovered as a banking Trojan in 2014, the malware evolved into the go-to solution for cybercriminals over the years. The Emotet infrastructure essentially acted as a primary door opener for computer systems on a global scale. Once this unauthorised access was established, these were sold to other top-level criminal groups to deploy further illicit activities such (as) data theft and extortion through ransomware.”

Emotet is operated as a pay-per-install botnet, and has been used widely by many malware operators including groups such as Ryuk and Trickbot. Emotet is mainly dispersed by email with links or attachments sent to thousands of users a day. These emails typically contain a malicious document with macros embedded within. Once the end user enables the embedded macros, Emotet will inject into memory, avoiding antivirus detection, and begin communicating outside of the network to command-and-control servers. The persistent connection allows Emotet to download and install additional modules, improving its performance over time, and assisting its ability to be resilient inside a network. At the same time, Emotet will frequently attempt to infect other systems inside the environment after making the original connection to a command-and-control server. Emotet’s success over all has been based significantly on the ability to adapt to any hand they were dealt, regardless of where the payload landed.

Emotet has been the initial access point in a significant amount of incident response engagements investigated by SpearTip. The botnet allows ransomware threat actors to easily gain unauthorized access to an environment where they can then steal data, remove security controls and deploy a ransomware payload. Since law enforcement agencies have taken control of hundreds of Emotet’s servers, threat actors can’t access any previously compromised machines and the malware will not be spread any further. This is a major victory in the ongoing battle against threat actors.

SpearTip’s experts weighing in on the situation have pointed out how low-tech the Emotet operations are. Yet, they are easily able to defeat organizations cyber security measures and maintain the ability to rake in millions of dollars. Ukraine police posted footage on YouTube searching through a residence with a plethora of partially constructed computers and machines as well as large sums of money and gold. Although, law enforcement removing some of these key servers is helping limit the progress and distribution of Emotet , this doesn’t mean we have seen the last of Emotet, but the operation itself appears to have been slowed down.

Despite this successful law enforcement operation, SpearTip, in 2021, has already observed and prevented memory injection attempts resembling Emotet from the ShadowSpear Platform coming from malicious word documents resembling COVID-19 medal reports. It is clear that although this particular group will be down for some time, other threat actors are working to quickly fill the void.