The answer to that question still remains open, but we expect it might return in some form or fashion. Yes, the takedown of EMOTET was successful, but anyone in the world of cybersecurity will tell you that malware has a habit of resurfacing in clever and unexpected ways. Therefore, the same could hold true for the EMOTET botnet as well.
What is EMOTET?
EMOTET, one of the most active and dangerous botnets, has been taken down by international authorities, in an operation coordinated by Europol and Eurojust.
Like many other malware variants, EMOTET accessed remote servers using email as an attack vector. The attacker’s botnet (consisting of previously infected EMOTET victims) sent spam/phishing emails to victims, most often with a Word attachment or with a hyperlink. In the case of the attachment, on many occasions the document was camouflaged as if it were an invoice or a document related to COVID-19. If the recipient opened the Word doc, they were prompted to enable macros, editing, or content which also enables the mechanisms that allow the attackers to quietly install the EMOTET trojan/bot client onto the victim’s computer. The attackers then can leverage the EMOTET trojan to install additional malware, like TrickBot and Qbot, allowing rapid spread to other computers and servers.
Like many other botnets, EMOTET allows bot herders (those in control of a botnet) the ability to install anything they like on victim machines or to use the resources of the devices in their botnet in many malicious ways (distributed denial of service (DDoS) attacks, spam and phishing resources, proxies for malicious traffic, etc.). In particular, once EMOTET is installed it acts as a malware loader that its bot herders can auction off to other cyber criminals. This is exactly what the EMOTET bot herders did, selling access to the victimized devices to third-party bidders who, in turn, installed other malicious programs like ransomware. The way EMOTET was leveraged as an installation platform to widely distribute many type of criminal malware was what made it, according to Europol, one of the most resistant and dangerous threats of its time.
What happened on January 27th, 2021?
On January 27th, the joint effort of law enforcement agencies from Germany, the Netherlands, the U.S., the U.K, Lithuania, France, Ukraine, and Canada disrupted the malware’s command and control (C2) infrastructure.
Once law enforcement took control of the C2 infrastructure used to send commands to the botnet (on March 25, 2021), they used the botnet’s own commands to distribute a module that uninstalls EMOTET. In essence, this removes the bot client from victim machines, removing them from the botnet, making it very hard for the attackers to regain control without reinfecting the machines from scratch.
The infrastructure of EMOTET included hundreds of servers located around the world, with various functionalities to manage the infected computers. The authorities likely had to leverage their local power as law enforcement to force ISPs, hosting companies, and more to give them access to the malicious servers in their infrastructure.
Actions on suspected actors
Besides taking down the infrastructure, the Ukrainian Cyberpolice Department arrested two individuals believed to be involved in the botnet’s infrastructure maintenance and could face 12 years in prison if they are found guilty. In addition, other affiliates of a cybercrime group using the infrastructure have been identified. Measures are being taken to arrest them.
What should I do next?
Despite the takedown of the EMOTET botnet, you should reinforce your endpoint security to prevent these sorts of infections!
Taking down EMOTET’s infrastructure is a major win. The authorities taking control of the botnet could represent a significant disruption that should make it difficult for the current EMOTET variant to return to its normal operations. WatchGuard data shows that the disruption of EMOTET’s infrastructure immediately resulted in a drop of new campaigns.
However, despite all the signs that EMOTET is having a hard time coming back, other botnets disrupted in the past have been able to recover despite concerted efforts to eliminate them. In fact, today, 97% of malware use some type of polymorphic techniques, according to analysts at WatchGuard. Some are well-known, as Cryptolocker or even Wannacry ransomware. But the most relevant fact is that they can have different degrees of complexity and encryption in their code and the most sophisticated ones, like EMOTET, can be difficult to detect by traditional endpoint security solutions. Furthermore, many of these malware variants share some source code that has previously leaked in malware undergrounds. Some of EMOTET’s own code came from previous botnet variants, including the very old Zbot source code that leaked long ago. In short, botnets often return in some form or fashion, and sometimes new variants of very familiar botnets return under a new threat actor’s control.
While we celebrate and laud this win from global authorities, we recommend you still keep your vigilance up against botnets. To protect against a resurgence of the EMOTET botnet and other similar attacks, WatchGuard suggests providing training to employees on identifying phishing emails. You can also use various WatchGuard products, such as DNSWatch or network-based antimalware, to at least defang the links and attachments found in this emails.