While the takedown of the EMOTET botnet was successful, Corey Nachreiner, CTO at WatchGuard Technologies, says that malware has a habit of resurfacing and provides some advice on how to be prepared.
One of the most active and dangerous botnets was taken down by international authorities in an operation coordinated by Europol and Eurojust. Like many other malware variants, EMOTET accessed remote servers using email as an attack vector. The attacker’s botnet, comprising previously infected EMOTET victims, sent spam and phishing emails to victims, most with a Word attachment or a hyperlink. The document was often camouflaged as an invoice or related to COVID-19 and if opened, it enabled mechanisms that allowed the attackers to quietly install the EMOTET trojan/bot client onto the victim’s computer. The attackers then leveraged the trojan to install additional malware, like TrickBot and Qbot, allowing rapid spread to other computers and servers.
Like many other botnets, EMOTET allowed bot herders – those in control of a botnet – to install anything they like on victim machines or to use the resources of the devices in their growing botnet for malicious activities such as distributed denial of service (DDoS) attacks, spam and phishing, or to act as proxies for malicious traffic. In particular, once installed EMOTET acted as a malware loader that allowed its bot herders to auction it off to other cyber criminals, selling access to victimised devices to third-party bidders who, in turn, installed other malicious programs like ransomware. The way EMOTET was leveraged as an installation platform to widely distribute many types of criminal malware was what made it, according to Europol, one of the most resistant and dangerous threats of its time.
On 27 January 2021, the joint efforts of law enforcement agencies from Germany, the Netherlands, the US, the UK, Lithuania, France, Ukraine and Canada, disrupted the malware’s command and control (C2) infrastructure.
Once law enforcement took control of the C2 infrastructure, it sent commands to the botnet and on 25 March used the botnet’s own commands to distribute a module that uninstalled EMOTET. In essence, this removed the bot client from victim machines, removing them from the botnet and making it very hard for the attackers to regain control without reinfecting the machines from scratch.
The infrastructure of EMOTET included hundreds of servers located around the world, with various functionalities to manage the infected computers. The authorities likely had to leverage their local power as law enforcement to force ISPs, hosting companies and others to give them access to the malicious servers in their infrastructure.
Besides taking down the infrastructure, the Ukrainian Cyberpolice Department arrested two individuals believed to be involved in the botnet’s infrastructure maintenance and they could face 12 years in prison if found guilty. In addition, other affiliates of a cybercrime group using the infrastructure have been identified and measures are being taken to arrest them.
Should I still be worried?
Taking down EMOTET’s infrastructure was a major win. The authorities taking control of the botnet represents a significant disruption that should make it difficult for the current EMOTET variant to return to its normal operations. Data from the WatchGuard Threat Lab shows that the disruption of EMOTET’s infrastructure immediately resulted in a drop of new campaigns.
However, despite all the signs that EMOTET is having a hard time coming back, other botnets disrupted in the past have been able to recover, despite concerted efforts to eliminate them. In fact, today, 97% of malware uses some type of polymorphic techniques, according to analysts at WatchGuard. Some are well-known such as Cryptolocker or even Wannacry ransomware. But the most relevant fact is that they can have different degrees of complexity and encryption in their code and the most sophisticated ones, like EMOTET, can be difficult to detect by traditional endpoint security solutions. Furthermore, many of these malware variants share some source code that has previously leaked in malware undergrounds. Some of EMOTET’s own code came from previous botnet variants, including the very old Zbot source code that leaked long ago. In short, botnets often return in some form or fashion, and sometimes new variants of very familiar botnets return under a new threat actor’s control.
While we celebrate this win from global authorities, we recommend keeping vigilance up against botnets. To protect against a resurgence of the EMOTET botnet and other similar attacks, you should provide training to employees on identifying phishing emails and invest in technologies to protect against malicious domains and network-based malware. Most importantly, you need strong endpoint defences to deal with any threats that find their way to employees’ computers.
This ranges from keeping your operating systems (OSs) and software up to date to fix vulnerabilities using patch management, to minimise data exposure to threat actors by encrypting endpoint data and deploying many layers of malware identification and prevention to keep evasive malware off your system. The last line of defence is Zero-Trust technology, which avoids any malware execution, so only legitimate applications can run. This means that even if son of EMOTET or other variant appears in the future, it will simply be blocked.