Home Cyber Security News Emotet Has Taken Down – Should I Still Be Worried?

Emotet Has Taken Down – Should I Still Be Worried?

by Mic Johnson

As of Jan 27, 2021, the Emotet botnet – attacker’s all-purpose weapon has been taken down, disrupting the alarming spread of this malware. This was accomplished by the international coordinated operation headed by Eurojust and Europol. No other malware is as penetrating as Emotet, which has caused millions of dollars in damage in businesses around the world. Of course, it’s not the only malware to leverage this effect, but it is probably the best at it.

Emotet is officially gone, should I still be worried?

Though this malware is out of business, researchers warn that cybercriminals who relied on Emotet botnet have no shortage of options to threaten businesses around the world.

All About Emotet

What is Emotet?

Emotet malware started its life as a Banking Trojan, which tried to get into the victim’s computer and steal personal and sensitive information. Emotet uses a vast botnet, which is believed to be tiered, made of thousands of infected web servers, generally with vulnerable CMS like WordPress, which are discarded that allows the attackers to hold control for long periods.

When it was designed back in 2014, it was recognized by various names including Mealybug, TA542, and MUMMY SPIDER. Further, the Emotet was dubbed to version 2 that was equipped with several modules, including a malspam module, a money transfer system, and a banking module, which particularly targeted Austrian and German banks. Later, the recent version of Emotet came in addition of malware and spamming delivery services comprising other banking Trojans.

Early versions come as malicious JS files. Later versions employed macro-enabled documents to obtain the virus payload from command-and-control servers handled by the hackers.

You can track its history with the timeline:

Credits: Proofpoint

How Does Emotet Work?

By using its compromised network of bots as an exploiting point, Emotet botnet starts its cycle by creating a legitimate-looking spam email, infecting the hosts, stealing the contact details, and repeating the process. Once downloaded, it injects itself to further propagate as well as wreak destruction on the enterprise network.

The notorious malware, which evolved throughout the years, becomes capable of introducing other exploits like Ryuk ransomware and TrickBot trojans to further spread the malware. As a result, the victims could experience anything from data or credential thefts, file encryption to the execution of malicious backdoor commands, which could destroy their network.

This malware uses a wide range of tricks and functionalities to prevent detection and analysis by anti-malware products and other cybersecurity tools. Further, its worm-like capabilities aid its easy spread to other connected devices.

What Could It Do for Your Business?

Emotet targets every business, regardless of size, nature, and type of organization. To date, it has hit companies, government organizations, and individuals across Europe and the US, stealing financial data, banking logins, and Bitcoin wallets.

This malware could be procured through ransomware-as-a-service or cybercrime-as-a-service marketplace on a pay-per-install model. Once a system is compromised with Emotet, attackers would inject secondary malware strains like ransomware. In 2019, Emotet reached its peak and was recognized as the most dangerous and prominent malware threat. After being quiet at the beginning of 2020, it reappeared again in the middle of the year.

Law enforcement agencies and security service providers around the world raised an urgent warning about this malware in July. Emotet botnet lured victims’ computers through phishing emails. IBM’s X-Force discovered one Emotet variation, which uses the Covid-19 theme as part of its phishing tempt.

Credits: menlosecurity

Emotet infection has caused $2.5B in damages – according to Ukrainian law enforcement.

One noteworthy Emotet attack on Allentown needed direct support from the incident response team of Microsoft to wash up the malware and cost $1M to repair.

This is just a sample of Emotet infection, the undisclosed figure of compromised organizations is estimated to be higher.

The Emotet Takedown

The takedown of this malware saw law enforcement agencies capture control of 700+ Emotet servers worldwide. Infected computers are directed to infrastructure operated by law enforcement agencies, rather than attackers. As such, the compromised devices can no longer be propagated for malicious purposes and the Emotet malware itself is powerless to infect a new target. This shutdown action was the culmination of a 2-year investigation led by Europol, working with agencies from across Europe including France, Ukraine, Germany, the Netherlands, Lithuania, and the UK.

Furthermore, the authorities arrested two members of the malware gang liable for spreading Emotet worldwide.

Is Emotet Gone Forever? – What’s Next?

Taking down this most dangerous malware infrastructure was a significant achievement. The authorities signify a major disruption, which should make it hard for the Emotet variant to regain its normal functions. WatchGuard Threat Lab stated that there is an immediate drop in new campaigns because of the disruption of this malware infrastructure. Though the unique and new approach of the agency made it difficult for Emotet to come back, other malware disruption in the past didn’t often have permanent effects. Today’s 97% of malware employs polymorphic techniques, which make it capable to recover.

The TrickBot disruption is an example. The operators are highly versatile and can recover from the elimination after a short time. If Emotet were to follow a similar feature, then there is the possibility that this malware isn’t completely immobilized. In short, the Emotet botnet may return differently since sometimes, new variants of botnets return under a new gang’s control.

How to Combat Emotet Malware?

While we are celebrating our win against the Emotet botnet, experts recommend keeping alertness up against botnets. Many organizations haven’t had a proper patch management and many systems left vulnerable to exploitation. Here are some of the tactics that you can try to defend yourself from the evil intent of botnets:

  • Provide training to your employees to identify phishing emails. Educate them not to click a shady-looking link or download any malicious attachments. Avoiding suspect emails can block the initial foothold of Emotet on your system.

 

  • Back up your data regularly. Thereby, you may not lose any sensitive information in the event of an infection and you no need to pay any ransom. Sending a strong message that cybercrime doesn’t pay is key to make your digital space a safer place.

 

  • Create a robust password and start implementing two-factor authentication.

 

  • Protect your business from Emotet with a strong cybersecurity management program, which includes multi-layered protection.

 

 

  • Proper patch management is crucial to protect yourself in the race to the latest threat exploitations. By taking a comprehensive approach with virtual patching, you can better equip yourself to secure the networks between patches and upgrades.

 

The Closure

Is Emotet Botnet really gone? Only time will tell how effective the disruption of Europol to Emotet malware is. Hopefully, this will translate into more long-lasting effects, and we can live a world of peace without Emotet haunting the scene.

Besides, every business should be warned that cyberspace still runs various malware variants like QakBot and TrickBot. Hence, it is highly recommended to have proper preventive measures to stop the death of Emotet in its tracks.

At Indusface, the research team keeps updated with the latest threats and updates our security tools with global threat intelligence and improves our security service wherever required. 

You may also like

Latest Hacking News

Privacy Preference Center

Necessary

The __cfduid cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis.

cookie_notice_accepted and gdpr[allowed_cookies] are used to identify the choices made from the user regarding cookie consent.

For example, if a visitor is in a coffee shop where there may be several infected machines, but the specific visitor's machine is trusted (for example, because they completed a challenge within your Challenge Passage period), the cookie allows Cloudflare to identify that client and not challenge them again. It does not correspond to any user ID in your web application, and does not store any personally identifiable information.

__cfduid, cookie_notice_accepted, gdpr[allowed_cookies]

Advertising

DoubleClick by Google refers to the DoubleClick Digital Marketing platform which is a separate division within Google. This is Google’s most advanced advertising tools set, which includes five interconnected platform components.

DoubleClick Campaign Manager: the ad-serving platform, called an Ad Server, that delivers ads to your customers and measures all online advertising, even across screens and channels.

DoubleClick Bid Manager – the programmatic bidding platform for bidding on high-quality ad inventory from more than 47 ad marketplaces including Google Display Network.

DoubleClick Ad Exchange: the world’s largest ad marketplace for purchasing display, video, mobile, Search and even Facebook inventory.

DoubleClick Search: is more powerful than AdWords and used for purchasing search ads across Google, Yahoo, and Bing.

DoubleClick Creative Solutions: for designing, delivering and measuring rich media (video) ads, interactive and expandable ads.

doubleclick

Analytics

The _ga is asssociated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.

The _gat global object is used to create and retrieve tracker objects, from which all other methods are invoked. Therefore the methods in this list should be run only off a tracker object created using the _gat global variable. All other methods should be called using the _gaq global object for asynchronous tracking.

_gid works as a user navigates between web pages, they can use the gtag.js tagging library to record information about the page the user has seen (for example, the page's URL) in Google Analytics. The gtag.js tagging library uses HTTP Cookies to "remember" the user's previous interactions with the web pages.

_ga, _gat, _gid