Emotet Botnet Infrastructure Disrupted in International Takedown

Law enforcement entities and judicial authorities located around the world succeeded in disrupting the Emotet botnet’s infrastructure through a coordinated takedown effort.

How the Takedown Unfolded

On January 27, Europol announced that investigators had targeted Emotet’s infrastructure. This distributed network of hundreds of servers located around the world enabled Emotet’s handlers to manage their victims’ affected machines, spread to new ones and prevent the international security community from staging a takedown attempt. 

But the law enforcement entities and judicial authorities that participated in the takedown effort succeeded regardless. As Europol explained in its announcement:

"To severely disrupt the EMOTET infrastructure, law enforcement teamed up together to create an effective operational strategy. It resulted in this week’s action whereby law enforcement and judicial authorities gained control of the infrastructure and took it down from the inside. The infected machines of victims have been redirected towards this law enforcement-controlled infrastructure. This is a unique and new approach to effectively disrupt the activities of the facilitators of cybercrime."

As a result of the takedown, the international law enforcement coalition took control of Emotet’s attack infrastructure.

A Look Back at Emotet’s Threat Activity

The security community first discovered Emotet back in 2014. In the years that followed, those responsible for maintaining the malware kept busy. Sam Curry, chief security officer for Cybereason, counted the ways for us:

“Since its discovery several years ago, Emotet has been used in cyber espionage campaigns and other attack operations to steal data, intellectual property and untold proprietary information from consumers and businesses. Such activities have cost victims hundreds of millions of dollars. As the malware morphed, cyber criminals began using Emotet to carry out brazen, targeted ransomware attacks against some public and private sector organizations on every continent,” Curry said.

“Clearly, Emotet hasn't been a run-of-the-mill or garden-variety malware. It became one of the biggest players on the global, cybercrime stage. Because of its popularity, Emotet helped to benefit other cybercriminals.”

Emotet established a special bond with Trickbot and Ryuk in particular. Back in April 2019, for instance, Cybereason detected an attack campaign that started with a weaponized Microsoft Office document attached to a phishing email. The file contained malicious macros that ran a PowerShell command and attempted to download an Emotet payload.

Here, Emotet diverged from its normal information-stealing capabilities by serving as a dropper for Trickbot. This modular malware traditionally attempted to steal banking credentials from its victims.

In this case, however, the threat leveraged systemInfo.dll to harvest information off of the infected computer. This data provided the attackers with a better understanding of the compromised machine’s properties including whether the system was part of one of their targeted industries. The attackers then used an additional payload to perform lateral movement and use the Windows administrative shared to infect the network with Ryuk ransomware.

What This Means Going Forward

Curry said that the Emotet’s takedown underscores the importance of the security community continuing to fight against sophisticated cyber actors:

“Kudos for the efforts of many law enforcement agencies around the world and other public and private sector organizations for working together to take down Emotet's infrastructure. This work must continue, as taking the fight directly to cyber criminals is the only way for defenders to protect themselves,” Curry lauded.

“The battle being waged by defenders daily to root out Emotet and other forms of malware is essential if we are to continue making cybercrime unprofitable.”

Organizations can help by strengthening their defenses against sophisticated threats like Emotet. They can do this investing in a security awareness training program for the purpose of familiarizing their employees with some of the newest digital threats. They can also use email filters to defend their organizations against malicious email attacks.

Still, that method of defense only goes so far with polymorphic malware like Emotet that’s constantly changing its code. Defenders can’t rely on Indicators of Compromise (IOCs) like file hashes and malware signatures to keep their organizations safe. They need to get more creative.

“From a defender’s standpoint, we'll never turn the tables on attackers and rapidly uncover malicious operations by chasing uncorrelated alerts. We need to arm security analysts with tools to make the connection between disparate Indicators of Compromise—and more importantly, the more subtle Indicators of Behavior (IOBs) associated with an attack—so that they can quickly detect and respond to malicious operations with surgical precision,” Curry explained.

“That’s the only way to reverse the adversary advantage. Organizations need the right tools for detecting earlier and remediating faster; thinking, adapting, and acting more swiftly than attackers before they can adjust their tactics; and having the confidence as defenders that they can reliably intercept and eliminate emerging threats before an attack escalates to the level of a breach.

"Cybereason uses an operation-centric approach to security in order to track chains of malicious behaviors across the enterprise in order to detect attacks early, before they escalate to the level of a breach event. Click here to learn more.

David Bisson
About the Author

David Bisson

David Bisson is an information security writer and security junkie. He's a contributing editor to IBM's Security Intelligence and Tripwire's The State of Security Blog, and he's a contributing writer for Bora. He also regularly produces written content for Zix and a number of other companies in the digital security space.

All Posts by David Bisson