Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Requiem for Emotet

With the recent takedown of the notorious botnet known as Emotet, we thought it would be a good time to pause to reflect on the long history of this malware strain and cybercrime operation. To do that, we asked for a perspective from Phil Hay, Research Manager at Trustwave SpiderLabs, who has spent decades tracking and thwarting the Emotet threat.

What is Emotet?

Emotet was probably the most successful and widespread botnet that the cybersecurity industry has ever seen. As the United States Department of Justice has reported, Emotet infected over 1.6 million computers and caused hundreds of millions of dollars in damage.

First detected in 2014, the attacks mainly targeted the banking sector. In 2016 and 2017, Trustwave and other researchers began to pick up widespread phishing campaigns that were attempting to deliver malware attachments and other malicious payloads. In 2019, Emotet was still active enough that Trustwave once again warned against it, and in 2020 it was still listed as one of the top threats in the Trustwave Global Security Report.

“Emotet began as a data-stealing Trojan, then morphed over time to become more modular, stealing information, or installing additional malware such as ransomware or other data stealers,” Phil Hay noted. “It stood out from an email security perspective because it used legit SMTP servers to distribute the malicious email, and it also used to eavesdrop on email traffic, capture email text, and quote text from previous messages in the new email to appear more legit and to fly under the radar.”

Emotet was primarily spread through spam email, using common attachment types like Microsoft Word, PDF or Excel files (sometimes the files were just a link in the email). In some of the more advanced attacks, malicious code or macros were actually hidden inside the attached files themselves.

Over time, the criminal ring behind the attack built out their own network of infected servers and were selling access to those servers as a Malware-as-a-Service. Sometimes, they would sell access to specific computers or servers – making Botnet the launching pad for numerous other criminal operations over the years, like Trickbot. Other times, they would actually deliver payloads on behalf of other hackers for a fee, making them a sort of cybercrime-for-hire operation.

“Emotet was successful in getting their malware past email gateway scanning and established on systems,” Phil said. “It represented an evolution in spam malware distribution, away from big botnet template driven malspam, to something smaller, more ‘tailored’ to the recipient, and better able to fly under the radar.”

How Was Emotet Taken Down?

In January of 2021, the Emotet infrastructure was disrupted and seized by a coalition of international law enforcement agencies from the United States, Canada, the United Kingdom and others. The FBI was able to gain access to the distribution servers from the inside, effectively taking control of them. In the Ukraine, two members of the criminal group were arrested, and equipment that was seized included computer equipment, cash… and bars of gold!  

So, is the menace of Emotet gone for good? Well, as with all cybercrime, it’s unfortunately never quite that simple.

“It’s always welcome news to hear of botnets being disrupted, any way we can weaken or dissuade the bad guys is good,” said Phil. “However, botnet disruption does not always mean the end of the story. Often, they will come back with another similar creation and start over. We have seen this many times in the past. So, I don’t think we have seen the end of Emotet-like malware.”

For organizations, protecting against exploits like the next iteration of Emotet involves a comprehensive approach, including Secure Email Gateways, a proactive threat hunting program and managed threat detection and response. Most importantly, organizations should patch their IT products in a timely manner, as botnet and malware exploits are constantly evolving. A robust cybersecurity employee education program can also help employees become better at spotting and thwarting phishing attacks, like business compromise emails.


The Underground Economy

What happens after cyber thieves successfully compromise businesses? If you think siphoning sensitive data instantly leads to money in their account, you're wrong. What proceeds is series of anonymous paths they can take to ultimately reap their reward. In this comprehensive guide, the Trustwave SpiderLabs team provides you with a view into the deep abyss of the dark web--where the criminally minded operate to hide their tracks from law enforcement.


Latest Trustwave Blogs

DOJ Disrupts Russian Botnet Created Using Unchanged Admin Credentials

The US Justice Department conducted a court-authorized operation in January that thwarted an on-going Russian GRU botnet campaign that used unchanged publicly known default administrator passwords to...

Read More

Lessons to be Learned: Attacks on Higher Education Proliferate

Trustwave SpiderLabs is wrapping up a multi-month investigation into the threats facing the education sector, across higher education, primary and secondary schools. Trustwave will post the 2024...

Read More

Understanding Why Supply Chain Security is Often Unheeded

Many organizations downplay the critical aspect of whether their cybersecurity provider has the ability to properly vet a third-party vendor's cybersecurity posture.

Read More