Hot Topics
Analytics & Intelligence Cyberlaw Cybersecurity Data Security Digital Currency Endpoint Featured Incident Response Malware News Security Boulevard (Original) Social Engineering Spotlight Threat Intelligence Threats & Breaches 

This is HUGE: Cops Nuke Emotet Crimeware C2

by Richi Jennings on January 28, 2021

Police from eight countries have shut down all three of the Emotet malware’s “epoch” C2 server clusters. In a coordinated action, they’ve cut off the hydra heads of this scheme that’s stolen billions from people worldwide.

That’s around 700 servers—incredible. And now, Operation Ladybird is delivering cleanup code to the countless infected PCs that connect to the servers.

Don’t “bug” me. I know: They talk funny Over There. In today’s SB Blogwatch, we buzz off.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Stop Gamestop.

Hey. Where’d Heodo Go?

What’s the craic? Zuzanna Szymanska, Pavel Polityuk and Jack Stubbs report—“Police dismantle world’s ‘most dangerous’ criminal hacking network”:

 Police in six European countries, as well as Canada and the United States, completed a joint operation to take control of Internet servers used to run and control a malware network known as “Emotet,” authorities said. … Emotet is used by cyber criminals to first gain access to a victim’s computer before then downloading additional malicious software, such as Trojans designed to steal banking passwords or ransomware that can lock a computer until an extortion fee is paid.

Ukraine’s General Prosecutor said police had carried out raids in the eastern city of Kharkiv to seize computers used by the hackers. Authorities released photos showing piles of bank cards, cash and a room festooned with tangled computer equipment, but did not say if any arrests were made.

Less mainstream, more media. Brian Krebs obliges—“International Action Targets Emotet Crimeware”:

 The action could help quarantine more than a million Microsoft Windows systems currently compromised with malware tied to Emotet infections. … First surfacing in 2014, Emotet began as a banking Trojan, but over the years it has evolved into one of the more aggressive platforms for spreading malware that lays the groundwork for ransomware attacks.

Operation Ladybird … involved authorities in the Netherlands, Germany, United States, the United Kingdom, France, Lithuania, Canada and Ukraine. … Emotet is a pay-per-install botnet that is used by several distinct cybercrime groups to deploy secondary malware — most notably the ransomware strain Ryuk and Trickbot, a powerful banking Trojan.

Sources close to the investigation [said the] action included the arrest of several suspects in Europe. … The core group of criminals behind Emotet are widely considered to be operating out of Russia. … It is too soon to say how effective this operation has been in fully wresting control over Emotet, but a takedown of this size is a significant action.

Emotet relies on several hierarchical tiers of control servers that communicate with infected systems. Those controllers coordinate the dissemination of second-stage malware and the theft of passwords and other data, and their distributed nature is designed to make [them] more difficult to dismantle. … Prosecutors seized 17 servers in Germany that acted as Emotet controllers. … Two of the three primary servers were located in the Netherlands.

Okay, now what? Catalin Cimpanu moves the story on—“Authorities plan to mass-uninstall Emotet from infected hosts”:

 Law enforcement officials in the Netherlands are in the process of delivering an Emotet update that will remove the malware from all infected computers. … Dutch police officials said … they used their access to these two [C2] servers to deploy a boobytrapped Emotet update to all infected hosts. [It] contains a time-bomb-like code that will uninstall the Emotet malware on [April] 25, [noon] local time.

Late April? That’s, like, three months away. Why so long? Chris Stokel-Walker explains why—“Europol distributes anti-malware code”:

 The feds seem to have been inside Emotet for longer than first thought. … All three Emotet epochs now deliver a payload that acts essentially as a self-destruct button.

The reason why the kill date has been set for three months’ time, rather than immediately, is an interesting conundrum. … While hitting the self-destruct button immediately would be the easiest option, it may leave many people unaware that their systems had been compromised. By giving people three months – and telling them specifically to hunt for the vestiges of the botnet on their networks – Europol appears to be trying to make sure that … people check whether they can see traces of it on their systems.

Why is this a big deal? Gareth Corfield asks and answers—“Europol-led op knocks offline 700 servers used to infect ‘millions of computers’”:

 Emotet is a frustratingly persistent email-delivered malware dropper. … Targets are bombarded with emails containing Word documents as attachments. Once the mark is fooled into opening the attachment (typical lure themes include information about topical news such as COVID-19 statistics, supplier invoices and bank letters) and running macros embedded within it, the malware is deployed.

Emotet was behind an awful lot of online badness – and if … 700 of its command-and-control servers have been taken down, that should make a big dent in malware and ransomware infections. … The Abuse.ch online malware tracker showed very few known Emotet … nodes remaining online in the wake of the raids. … Criminal charges and prosecutions will doubtless follow.

But punished how? Here’s fazig:

 We might want to bring back public executions where cyber criminals of that kind of caliber get publicly hung drawn and quartered. Maybe let it be preceded by some public humiliation where they get put on a pillory so people can send mean tweets and throw their iPhones at the criminals.

And Throatwarbler Mangrove agrees:

 It’s time for summary executions, or at least extraordinary rendition. “You think you’re so clever, Mr. Hacker? Meet your new best friend, Mr. Bone Saw.”

What we want to know is—has it worked? The “random Swiss guy” behind Abuse.ch confirms success:

 I’ve just checked the most recent data … and I can confirm that all active Emotet botnet C&Cs that were under control of threat actors have been taken offline.

So far, this seems to be one of the most successful takedowns I’ve seen so far. Kudos, you rock!

Meanwhile, Kevin Beaumont—@GossiTheDog—checks his card:

 I have to admit I did not have law enforcement doing a supply chain attack on Emotet updates in my 2021 bingo.

And Finally:

As Redditters troll “professional” investors, Chris “placeboing” Lohr makes hay

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Jonnelle Yankovich (via Unsplash)

Recent Articles By Author
More from Richi Jennings
Richi Jennings , , ,

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 605 posts and counting.See all posts by richi