With the recent takedown of the notorious botnet known as Emotet, we thought it would be a good time to pause to reflect on the long history of this malware strain and cybercrime operation. To do that, we asked for a perspective from Phil Hay, Research Manager at Trustwave SpiderLabs, who has spent decades tracking and thwarting the Emotet threat.
What is Emotet?
Emotet was probably the most successful and widespread botnet that the cybersecurity industry has ever seen. As the United States Department of Justice has reported, Emotet infected over 1.6 million computers and caused hundreds of millions of dollars in damage.
First detected in 2014, the attacks mainly targeted the banking sector. In 2016 and 2017, Trustwave and other researchers began to pick up widespread phishing campaigns that were attempting to deliver malware attachments and other malicious payloads. In 2019, Emotet was still active enough that Trustwave once again warned against it, and in 2020 it was still listed as one of the top threats in the Trustwave Global Security Report.
“Emotet began as a data-stealing Trojan, then morphed over time to become more modular, stealing information, or installing additional malware such as ransomware or other data stealers,” Phil Hay noted. “It stood out from an email security perspective because it used legit SMTP servers to distribute the malicious email, and it also used to eavesdrop on email traffic, capture email text, and quote text from previous messages in the new email to appear more legit and to fly under the radar.”
Emotet was primarily spread through spam email, using common attachment types like Microsoft Word, PDF or Excel files (sometimes the files were just a link in the email). In some of the more advanced attacks, malicious code or macros were actually hidden inside the attached files themselves.
Over time, the criminal ring behind the attack built out their own network of infected servers and were selling access to those servers as a Malware-as-a-Service. Sometimes, they would sell access to specific computers or servers – making Botnet the launching pad for numerous other criminal operations over the years, like Trickbot. Other times, they would actually deliver payloads on behalf of other hackers for a fee, making them a sort of cybercrime-for-hire operation.
“Emotet was successful in getting their malware past email gateway scanning and established on systems,” Phil said. “It represented an evolution in spam malware distribution, away from big botnet template driven malspam, to something smaller, more ‘tailored’ to the recipient, and better able to fly under the radar.”
How Was Emotet Taken Down?
In January of 2021, the Emotet infrastructure was disrupted and seized by a coalition of international law enforcement agencies from the United States, Canada, the United Kingdom and others. The FBI was able to gain access to the distribution servers from the inside, effectively taking control of them. In the Ukraine, two members of the criminal group were arrested, and equipment that was seized included computer equipment, cash… and bars of gold!
So, is the menace of Emotet gone for good? Well, as with all cybercrime, it’s unfortunately never quite that simple.
“It’s always welcome news to hear of botnets being disrupted, any way we can weaken or dissuade the bad guys is good,” said Phil. “However, botnet disruption does not always mean the end of the story. Often, they will come back with another similar creation and start over. We have seen this many times in the past. So, I don’t think we have seen the end of Emotet-like malware.”
For organizations, protecting against exploits like the next iteration of Emotet involves a comprehensive approach, including Secure Email Gateways, a proactive threat hunting program and managed threat detection and response. Most importantly, organizations should patch their IT products in a timely manner, as botnet and malware exploits are constantly evolving. A robust cybersecurity employee education program can also help employees become better at spotting and thwarting phishing attacks, like business compromise emails.
The Underground Economy
What happens after cyber thieves successfully compromise businesses? If you think siphoning sensitive data instantly leads to money in their account, you're wrong. What proceeds is series of anonymous paths they can take to ultimately reap their reward. In this comprehensive guide, the Trustwave SpiderLabs team provides you with a view into the deep abyss of the dark web--where the criminally minded operate to hide their tracks from law enforcement.