Take Down: Emotet Botnet

By Anthony Eich on February 18, 2021

By: Anthony Eich

Executive Summary

Emotet is the name of a major botnet that was recently disrupted after over six years of malicious activity spreading some of the most prolific malware known and causing massive amounts of financial damages in many countries around the world. A botnet is a network of private computers infected with malicious software and controlled as a group without the owners’ knowledge [1]. These computers are also known as “zombies” because of the way they perform these actions [2]. At last, in February of 2021, Europol—the European Union Agency for Law Enforcement Cooperation—announced that it had taken over the infrastructure of the Emotet botnet through a coordinated effort between Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine. The systems that were owned by Emotet are now being redirected from the C2 (command and control) servers of the criminal organizations to those being controlled by global law enforcement agencies [3].

Background

Emotet built its army of zombie computer systems through massive global dissemination since 2014 and is thought to be the largest botnet ever put together. Some estimates put the financial damages invoked by the botnet at nearly $2.5 billion and infecting more than 1.6 million machines world-wide [4]. The malicious software infected systems when users would open an email with a file attached, or through a link that downloaded additional malware onto the computer. The virus then hid itself very well so that many anti-malware software applications were not able to detect it. Emotet was first created as a banking Trojan, a malware that was used to gain access to bank accounts and steal money. Because of the way that it accomplished this by giving control surreptitiously of infected systems to the owners of the botnet, and because it was easy to spread, the owners of the C2 (command and control) servers then rented out the botnet to criminal organizations to accomplish sophisticated attacks on a very large scale. The difficulty in tracking and taking down the botnet was in that the servers were well hidden and decentralized so that no one location could be pinpointed, and because legally the botnet “lived” across many borders at once, getting governments to cooperate was difficult. That is one of the reasons that it became such a prolific and persistent threat.

Impact

Over the years that Emotet has been an active botnet, it has been employed not only in many various attacks on huge systems, but it has also aided in the creation of other threats as well as giving new life to threats that had thought to have been relatively neutralized. One of the most notorious cooperative actions of Emotet was to aid in the proliferation of another botnet, Trickbot. Trickbot was used in many of the data breaches that have been well publicized over the last few years. It was thought to have been permanently disrupted by law enforcement last year, only to begin to show up again shortly after the takedown of its C2 servers. Emotet may have had a hand in the resurrection of Trickbot. Between the two botnets, many other malwares have been spread such as:

  • WannaCry: A prolific ransomware
  • Qakbot: A suite of banking trojans
  • UmbreCrypt: Another very dangerous ransomware

As Emotet grew, it began to outsource its capabilities in a malware-as-a-service (MaaS) scheme [5]. Soon attacks were becoming more often and on a larger scale, sometimes taking down entire city governments and large organizations.

Significance

Since authorities took over the Emotet infrastructure and redirected the botnet’s traffic to law enforcement, there has been no sign of its usage as of the writing of this article. Some authorities say that this spells the end for Emotet, whereas other point to the reemergence of botnets such as Trickbot as a warning that the malware could resurface. Cybersecurity professionals continue to agree that the best way to protect against dangers such as Emotet is to continually train and educate users to be aware of their activities when using their networks. There will always be new threats as well as the reimagining of old threats, and it takes vigilance and discipline of end-users to prevent catastrophe. Through continual training and awareness programs, these threats can always be mitigated, but never eliminated.

Sources

Accessed February 9, 2021. https://nakedsecurity.sophos.com/2021/02/01/emotet-takedown-europol-attacks-worlds-most-dangerous-malware/.

Greenberg, Andy. 2021. Cops Disrupt Emotet, the Internet’s ‘Most Dangerous Malware’. January 27. Accessed February 9, 2021. https://www.wired.com/story/emotet-botnet-takedown/.

Petcu, Alina Georgiana. 2021. Emotet Malware Over the Years: The History of an Active Cyber-Threat [Updated]. January 27. Accessed February 9, 2021. https://heimdalsecurity.com/blog/emotet-malware-history/.

Release, Press. 2021. WORLD’S MOST DANGEROUS MALWARE EMOTET DISRUPTED THROUGH GLOBAL ACTION. January 27. Accessed February 9, 2021. https://www.europol.europa.eu/newsroom/news/world%E2%80%99s-most-dangerous-malware-emotet-disrupted-through-global-action.

n.d. What is a Botnet? Accessed 2 9, 2021. https://www.paloaltonetworks.com/cyberpedia/what-is-botnet.