Good Europol Hunting: How Do You Like Them Apples, Emotet?

2/15/2021

On January 27, 2021, Europol announced that it had led a coordinated takedown of the Emotet infrastructure in collaboration with law enforcement authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada, and Ukraine.

According to Europol, over the course of the operation, it has been able to map out and take control of servers from around the world that Emotet was using as “command-and-control” (C2) nodes. Europol also shared that it would use the seized servers to deactivate Emotet by pushing an update to all infected systems still connecting to the seized C2s. Analysis of the new Emotet updates, which were developed by Europol, shows code that will self-remove the Trojans from infected systems on March 25, 2021, at 12:00 (local time).

“As part of the criminal investigation conducted by the Dutch National Police into EMOTET, a database containing e-mail addresses, usernames and passwords stolen by EMOTET was discovered. You can check if your e-mail address has been compromised. As part of the global remediation strategy, in order to initiate the notification of those affected and the cleaning up of the systems, information was distributed worldwide via the network of so-called Computer Emergency Response Teams (CERTs).”

Source: Europol

The Ukrainian National Police agency also reported making some arrests in connection with this operation.

Emotet Overview

Emotet is a sophisticated banking Trojan that security researchers first identified in 2014. Originally, it was designed to steal banking credentials for use in taking over bank accounts and stealing funds from victims. Over the years, its functionality was updated to enable hackers to deploy supplementary malware and steal content from victims’ email systems.

In mid-2018, the Emotet group started to work closely with operators of the TrickBot banking Trojan and Ryuk/Conti ransomware groups. After initial infection, Emotet can stay undetected for weeks, sometimes months, before it eventually deploys the TrickBot Trojan, which can then lead to a subsequent ransomware attack. In the last few months, Emotet has also been seen deploying IcedID and Qbot Trojans, which can also lead to ransomware attacks by the MegaCortex, Prolock, and/or Maze/Egregor variants.

Emotet Risk Assessment

On October 12, 2020, Microsoft announced a similar takedown of the Trickbot infrastructure. In this case, the botnet’s owners were able to rebuild their infrastructure and restart operations in about four weeks. In part, this quick reboot was thanks to the Trickbot banking Trojan having a “fallback” communications module, which uses a blockchain distributed domain name service (DNS) technology called Emercoin DNS (EmerDNS) that law enforcement cannot take over. After the Trickbot operators deployed a new set of C2 servers, they were able to use the fallback channel to update configurations on infected systems.

Unlike Trickbot, Emotet does not have a similar fallback capability and cannot regain access to infected systems to update configurations. Therefore, it will likely take the Emotet group longer to recover and resume operations. Based on the Arete Cyber Threat Intelligence (CTI) team’s assessment, the takedown of the Emotet C2 infrastructure will disrupt this botnet’s operations for at least five to six weeks.