Law enforcement takes over Emotet, one of the biggest botnets



Law enforcement agencies from several countries collaborated in a joint operation that resulted in taking over the command-and-control infrastructure behind Emotet, one of the world’s largest botnets. Whether this disruption to the botnet will be permanent remains to be seen, but it’s a promising development according to security experts.

“This operation is the result of a collaborative effort between authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust,” Europol announced Wednesday. “This operation was carried out in the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT).”

What is Emotet?

Emotet has been in operation since 2014 and over the past months has been the most commonly detected malware family by security products. The program started out as a Trojan program focused on the theft of online banking credentials, but over time evolved into a malware-as-service platform that was used by other cybercriminal groups to deploy their own malware or gain access to infected computers.

Emotet is run by a group tracked in the security industry as TA542 and one of its main customers was the group behind TrickBot, another botnet that was known for distributing the notorious Ryuk ransomware. The Emotet / TrickBot / Ryuk relationship is well known in the security industry and organizations have been repeatedly warned to take Emotet and TrickBot infections on their networks seriously because they are a precursor to ransomware.

TrickBot command-and-control servers were targeted in a separate Microsoft-led industry takedown operation in October, but the botnet is not completely dead and new TrickBot samples continued to be distributed by Emotet after Microsoft’s action. Other cybercrime gangs that use other malware programs, for example Qbot, also rely on Emotet for distribution.

Emotet itself is primarily distributed through spam emails that use social engineering to trick users into opening Word documents with malicious macros, rogue PDF files or URLs that lead to infected Word files. TA542 spam campaigns use generic lures such as invoices and other financial documents, but also try to exploit global or regional events such as the COVID-19 pandemic. The group uses advanced techniques to increase its chances of success, such as threat hijacking, where emails pose as replies to legitimate conversations the Trojan stole from infected computers, or addressing the recipients by their real name and including their job titles and company names in the subject.

Copyright © 2021 IDG Communications, Inc.


Source link