Emotet: the rise and fall of a criminal empire
The Emotet banking trojan has been active at least since 2014, with the botnet being operated by the Russian cybercrime organization tracked as TA542.
The threat rapidly evolved over time, as successive versions of the trojan implemented new features, such as the ability to send out spam messages, carry out DDoS attacks, and steal sensitive data. While the initial versions were spreading through exploit kits such as the RIG 4.0 EK, the operators rapidly shifted to spam campaigns.
Emotet was also one of the most active threats during the COVID19 pandemic: at the end of 2020, experts observed multiple spam campaigns using messages with weaponized Word documents, or containing links to them, pretending to be an invoice, shipping information, COVID-19 information, as well sa resume, financial documents, or scanned documents.
In mid-September 2020, cybersecurity agencies across Asia and Europe warned of Emotet spam campaigns targeting businesses in France, Japan, and New Zealand. At the end of September, agencies in Italy and the Netherlands, as well as researchers from Microsoft issued new alerts about the spike in Emotet activity.
In October 2020, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert to warn of a surge of Emotet attacks that targeted multiple state and local governments in the U.S. since August.
The agency’s EINSTEIN Intrusion Detection System detected roughly 16,000 alerts related to Emotet activity. According to the experts from CISA, the Emotet attacks targeted US government entities.
The alert published by CISA was based on data provided by the Multi-State Information Sharing & Analysis Center (MS-ISAC), as well as the CISA itself since July 2020.
How was Emotet shut down?
In January 2021, a global operation of law enforcement named Operation Ladybird, led by Europol, has disrupted the infrastructure of the infamous Emotet botnet.
“Law enforcement and judicial authorities worldwide have this week disrupted one of most significant botnets of the past decade: EMOTET. Investigators have now taken control of its infrastructure in an international coordinated action,”reads the announcement published by Europol.
“This operation is the result of a collaborative effort between authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust. This operation was carried out in the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT).”
Emotet’s C2 infrastructure was composed of several hundreds of servers worldwide, each of them with different functionalities.
Law enforcement agencies and judicial authorities took control of Emotet’s infrastructure from the inside, and then every infected bot was redirected to the C2 infrastructure under the control of law enforcement. The Dutch National Police discovered a database containing email addresses, usernames, and passwords stolen by the bots.
The National Police of Ukraine published the following video showing a house search performed by police officers who seized computers, hard drives, and large amounts of money along with gold bars.
On April 25, European law enforcement agencies automatically wiped the Emotet malware from infected systems across the world as part of a mass sanitization operation.
This operation was the result of a joint effort between authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust.
The authorities took over at least 700 servers that comprised the botnet’s infrastructure.
On April 25, the authorities started pushing out a 32-bit payload named “EmotetLoader.dll” to clean up the infected systems, the process was set to trigger itself automatically on April 25, 2021 as confirmed by researchers at Malwarebytes.
“Shortly after the Emotet takedown in January, a researcher observed a new payload pushed onto infected machines with a code to remove the malware at a specific date,” reads a blog post published by MalwareBytes.
“That updated bot contained a cleanup routine responsible for uninstalling Emotet after the April 25 2021 deadline. The original report mentioned March 25 but since the months are counted from 0 and not from 1, the third month is in reality April.”
The massive sanitization was also confirmed by the U.S. Department of Justice in their affidavit.
The 32 bit DLL (EmotetLoader.dll) has 3 exports, which all lead to the same function that is used to cleanup the infected processes. The procedure loops on checking if the deadline has passed, in this case, the uninstall routine is immediately invoked.
If the deadline has already passed, the uninstall routine is called immediately. Otherwise, the thread is run repeatedly doing the same time check, and eventually calling the deletion code if the date has passed.
The routine used by law enforcement agencies deletes the service associated with Emotet malware, deletes the autorun Registry key, attempts (but fails) to move the file to %temp% and then terminates the process.
All the Command & Control servers that were composing the botnet infrastructure were shut down by the massive operation.
What was the impact of the Emotet shutdown?
As part of the massive takedown operated by law enforcement, the FBI collected millions of email addresses used by Emotet operators in their malware campaigns as part of the cleanup operation. The FBI, along with the Dutch National High Technical Crimes Unit (NHTCU), shared with the HIBP service 4,324,770 email addresses collected by the Emotet botnet and employed in malware campaigns. The move is aimed at users who can check if their addresses were compromised by Emotet operators.
“Following the takedown, the FBI reached out and asked if Have I Been Pwned (HIBP) might be a viable means of alerting impacted individuals and companies that their accounts had been affected by Emotet. This isn’t the first time HIBP has been used by law enforcement in the wake of criminal activity with the Estonian Central Police using it for similar purposes a few years earlier,” reads the post published by HIBP.
“In all, 4,324,770 email addresses were provided which span a wide range of countries and domains.”
39% of the email addresses provided by law enforcement had already been indexed by the services because they were part of other data breaches.
Subscribers to the HIBP service were already informed if their email addresses were involved in Emotet campaigns.
Are there other existing botnets as dangerous as Emotet?
Even if Emotet was shut down, crooks operating other botnets like IcedID, Dridex, Quakbot, and TrickBot sent out large volumes of spam emails distributing weaponized documents in the first quarter of 2021.
The IcedID Banking Trojan seems to be a candidate to take the role of the Emotet trojan. IcedID is similar to Emotet, and the volume of IcedID samples has exploded worldwide after the Emotet shut down.