Search This Blog

Showing posts with label Emotet. Show all posts

Operation LadyBird: International Law Enforcement Agencies Crackdown Emotet

 

European and US law agencies earlier this week directed a brilliant crackdown on Emotet. Emotet is a botnet of corrupted computers, which has attacked millions of victims to date. The international police operation "LadyBird" consisted of a team of officials from nine governments. The Dutch police, however, was more resolute and used its cyber agencies to get access to the Emotet infrastructure. Next, it installed a software update on the servers which disrupted the communication between botnet and hacked computers, putting a stop to its further spread.  

FBI can learn a thing or two from this operation, realizing that sometimes foreign allies can be a help too. Here, the Dutch police were a step ahead of the bureau in making an arrest and even using offensive cyber capabilities to get the mission done. The Bureau had first discovered Emotet in 2017, by that time, it had already dealt damage of $1.4 Million to North Carolina school computers. As per the Department of Homeland Security (DHS), it cost the agency around $1 Million to settle the dust after each Emotet incident happened, however, not clear how the agency calculated this data. 

An FBI agent, however, suggested the estimated total cost to be around hundreds of millions of dollars, that the U.S victims might have suffered from the digital cyberattack. But, American agents failed to reach Emotet's infrastructural roots on their own. A senior FBI cyber-official in a press conference said that this is why it becomes so important for law enforcement agencies to work together. Hinting to the Dutch crackdown on Emotet, the official said "working within the legal frameworks of each individual partner to make sure that we have the greatest impact that we can within the law."  As of now, it's not confirmed if the Emotet's criminal group will be back in the action again. 

Experts say that Botnet generally survives until its operatives are finally captured. Dutch news website Politie reports, "A computer infection with Emotet malware often comes about through a phishing attack by email. In doing so, the victim is tempted to click on a malicious link, for example in a PDF file, or to open a Word file containing macros. The cybercriminals behind Emotet used different types of 'bait' to trick unsuspecting users into opening malicious attachments. For example, last year they pretended that e-mail attachments contained information about COVID-19."

Emotet - 'Most Dangerous Malware in the World' Disrupted by the Law Enforcement Agencies

 

The European Union Agency for Law Enforcement announced that a global collaboration of law enforcement agencies had disrupted Emotet, what it called the ‘most dangerous malware in the world’.

‘Operation ladybird’ was conducted via a collaboration of private security experts with global law enforcement agencies to disrupt Emotet and take charge of Emotet’s command-and-control infrastructure. While conducting the raid Ukrainian police arrested at least two Ukrainian citizens working for the cybercriminal group.

Ukrainian law enforcement published a video showing officers seizing cash, computer equipment, and rows of gold bars. Neither Europol nor the Ukrainian police has shared the details regarding threat actors or their asserted role in the Emotet group. Ukrainian authorities released a statement explaining that “other members of an international hacker group who used the infrastructure of the Emotet bot network to conduct cyberattacks have also been identified. Measures are being taken to detain them”.

Europol stated that “the Emotet infrastructure essentially acted as a primary door opener for computer systems on a global scale”. A malware globally known as Emotet has jeopardized the free-flowing working of the Internet and has grown into one of the biggest botnets across the globe and ruining organizations with data theft and ransomware.

In 2014, Emotet was initially known as a banking trojan, the malware gradually evolved into a powerful weapon used by threat actors across the globe to secure unauthorized access to computer systems. Emotet’s designers known as APT group TA542 shared the malware with other threat actors who used malware to install banking trojans or ransomware, onto a victim’s computer system.

Interpol stated that “the infrastructure that was used by Emotet involved several hundreds of servers located across the world, all of these having different functionalities to manage the computers of the infected victims, to spread to new ones, to serve other criminal groups, and to ultimately make the network more resilient against takedown attempts”.

Emotet Returns: Here's a Quick Look into new 'Windows Update' attachment

 

Emotet Malware was first discovered by security researchers in the year 2014, but, the threats by Emotet have constantly evolved over the years. At present, the malware is highly active as its developers continue to evolve their strategies, devising more sophisticated tricks and advancements. Recently, it has been noticed to be delivering several malware payloads and is also one of the most active and largest sources of malspam as of now. 
 
The operators behind Emotet are sending spam emails to unsuspected victims to trick them into downloading the malware; botnet has started to employ a new malicious attachment that falsely claims to be a message from Windows Update asking victims to upgrade Microsoft Word. It begins by sending spam email to the victim containing either a download link or a Word document, now when the victim happens to ‘Enable Content’ to let macros run on their system, the Emotet Trojan gets installed. In their previous malspam campaigns, used by the criminals were said to be from Office 365 and Windows 10 Mobile. 
 

How does the malware works? 

 
Once installed, the malware tries to sneak into the victim’s system and acquire personal information and sensitive data. Emotet uses worm-like capabilities that help it spreading itself to other connected PCs. With add-ons to avoid detection by anti-malware software, Emotet has become one of the most expensive and dangerous malware, targeting both governments as well as private sectors. 

The malware keeps updating the way it delivers these malicious attachments as well as their appearances, ensuring prevention against security tools. The subject lines used in a particular malspam campaign are replaced by new ones, the text in the body gets changed and lastly the ‘file attachment type’ and the content of it are timely revised. 
 
Emotet malware has continuously evolved to the levels of technically sophisticated malware that has a major role in the expansion of the cybercrime ecosystem. After a short break, the malware made a comeback with full swing on October 14th and has started a new malspam routine. 
 
Originally discovered as a simple banking Trojan, Emotet’s roots date back to 2014 when it attempted to steal banking credentials from comrpmised machines. As per recent reports, Emotet also delivers third-party payloads such as IcedID, Qbot, The Trick, and Gootkit.

Emotet Malware Returned with Massive Malspam Campaign


The Emotet authors are popular for capitalizing on trending events and holidays by disseminating customized templates in form of Christmas and Halloween gathering invites, similarly, the malicious gang has started a new campaign taking advantage of the ongoing global pandemic. They are once again spamming corona virus-related emails to U.S businesses.

Earlier this year, in the month of February, the Emotet malware was being spread actively in pandemic ridden countries via COVID-19 themed spam. However, regarding the US businesses, the malware never had the timely chance to attack by exploiting the pandemic, as the virus encapsulated the USA in the month of March. After disappearing in February, Emotet was seen to be back stronger than ever on July 17th, 2020.

Originally designed as a banking malware, Emotet Malware was first discovered by security researchers in the year 2014, but, the threats by Emotet have constantly evolved over the years. It attempts to sneak onto the victim’s system and acquire personal information and sensitive data. Emotet uses worm-like capabilities that help it spreading itself to other connected PCs. With added functionalities to avoid detection by anti-malware software, Emotet has become one of the most expensive and dangerous malware, targeting both governments as well as private sectors. As per recent sources, Emotet also delivers third-party payloads such as IcedID, Qbot, The Trick, and Gootkit.

Emotet has been pushing malspam continually employing the same strategies the authors did in their previous array of attacks. The spam mail consists of an attachment or a link, that on being clicked, launches the Emotet payload. In this particular COVID-19 themed Emotet spam targeting U.S organizations, the malware has been sending an email that appears to be from the ‘California Fire Mechanics’ reaching out with a ‘May Covid-19 update.’ One important thing to note here is that this email is not a template designed by the Emotet authors, but instead, an email stolen from a prior victim and appropriated into the Emotet’s spam campaigns. The malicious attachment linked in this case is titled ‘EG-8777 Medical report COVID-19. Doc’. It makes use of a generic document template that had been used in older campaigns. Once downloaded on the user’s click, the Emotet gets saved to the %UserProfile% folder under a three-digit number (name), such as 745.exe. Upon execution of the same, the user’s computer will become a part of the operation, sending out further infected emails.

While alerting on 17th July, researchers at Microsoft told,“We have so far seen several hundreds of unique attachments and links in tens of thousands of emails in this campaign,”

“The download URLs typically point to compromised websites, characteristic of Emotet operations.” They further wrote.

Emotet expert Joseph Roosen told to BleepingComputer, "So far we have only seen it as part of stolen reply chain emails. We have not seen it as a generic template yet but I am sure it is just around the corner hehe. There was one reply chain I saw yesterday that was sent to 100s of addresses that were referring to the closing of an organization because of COVID-19. I would not be surprised if Ivan is filtering some of those reply chains to focus on ones that are involving COVID-19,"

Botnet Activity Goes Down; Revived Emotet Suffers Hindrances in Operations by A Vigilante Hacker


An anonymous vigilante hacker has been actively involved in obstructing 2019's most widespread cybercrime operation, Emotet that made a comeback recently. He has been sabotaging the malicious affairs and protecting users from getting affected by removing Emotet payloads and inserting animated GIFs at their places. Acting as an intruder, he replaced Emotet payloads with animated GIFs on certain hacked WordPress sites, meaning when victims would open the infected Office files, the malware would not be downloaded and executed on their computers, saving them from the infection.

Emotet is a banking Trojan that was first spotted in the year 2014 by security researchers, it was primarily designed to sneak onto the victim's computer and mine sensitive data. Later, the banking malware was updated; newer versions came up with spamming and malware delivery functionality. Emotet is equipped with capabilities to escape anti-malware detection, it uses worm-like abilities that help it proliferate through connected systems. Mainly, the infection is spread via malspam, however, it may also be sent through malicious scripts, links, or macro-enabled documents.

Started off casually a few days ago, on the 21st of July, the act of sabotaging the operations has become a major concern for the Emotet authors, affecting a significant fragment of the malware botnet’s revived campaign. Essentially, the sabotage has been possible owing to the fact that Emotet authors are not employing the best web shells in the market, it was noted earlier in 2019 also that the criminals involved in Emotet operations were using open-source scripts and identical password for all the web shells, risking the security of its infrastructure and making it vulnerable to hijacks just by a simple guess of password.

While giving insights on the matter, Kevin Beaumont said in 2019, “The Emotet payload distribution method is super insecure, they deploy an open-source webshell off Github into the WordPress sites they hack, all with the same password, so anybody can change the payloads infected PCs are receiving.

Emotet trojan is back with a bang

Emotet gang takes their operation to a whole new level, showing why they're today's most dangerous malware. It would seem it now has taken on new tactics in the form of hijacking users old email chains and then responding from a spoofed address to portray legitimacy, this additional tactic can heighten a hackers chances when stealing financial information once a victim has been lured into clicking on said malicious content. Targeted emails appears to affect both private and public sectors, including government, particularly those that provide financial and banking services.

Emotet is a known banking Trojan, discovered five years ago, first in Europe and the USA. It started out stealing information from individuals, like credit card details. It has been lurking around since 2014 and has evolved tremendously over the years, becoming major threat that infiltrates corporate networks and spreads other strains of malware.

It injects itself into a user’s device via malspam links or attachments, with the intent to steal financial data. It targets banking emails and can sometimes deploy further attacks once inside a device.

The Emotet malware gang is now using a tactic that has been previously seen used by nation-state hackers.

The U.S. Department of Homeland Security published an alert on Emotet in July 2018, describing it as “an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans,” and warning that it’s very difficult to combat, capable of evading typical signature-based detection, and determined to spread itself. The alert explains that “Emotet infections have cost SLTT (state, local, tribal, and territorial) governments up to $1 million per incident to remediate.”

This campaign targeted mainly Chile and used living off the land techniques (LotL) to bypass Virus Total detections. This up and coming tactic uses already installed tools on a users’ device to remain undetected for as long as possible.