Used in extensive attacks on companies globally for some time, the Emotet botnet has finally been taken down as part of a coordinated effort involving Europol, the FBI, the UK National Crime Agency, and other law enforcement bodies.

The cybercriminals managing Emotet used their malware to set up a backdoor to many different company databases and then sold access to other hacking groups that aimed to carry out additional malicious attacks that involved stealing sensitive data and extortion through the deployment of ransomware.

The operation has been in development for around two years and was set up to allow the multi-country infrastructure to simultaneously disrupt any attempts by the threat group to set up the network in future. Law enforcement bodies have taken management of of hundreds of servers and have taken control of the complete Emotet infrastructure, in what will be viewed by many to be the most important malware takedowns to date. The takedown has stopped the Emotet gang from using the malware and has lead to the loss of control of the army of compromised devices that comprise the botnet.

Europol and its partners were able to map the entire infrastructure, took management of the network, and shut down the Emotet Trojan. A software update was installed on the main servers used to manage the malware, two of which were located in the Netherlands. Infected computer systems will download the update, which result in the Emotet Trojan being quarantined.

Emotet is possibly the most dangerous malware of recent years and the botnet used to share it is one of the best available. Approximately 30% of all malware attacks in 2020 involved the Emotet Trojan.

Phishing emails were used to share the Emotet Trojan. Large phishing campaigns were shared using a wide variety of lures to trick recipients into opening malicious attachments or visiting websites that installed the Emotet Trojan. The lures deployed in the campaigns frequently changed, taking advantage of world events to enhance the probability of the attachments being clicked on.

Emotet began life as a banking Trojan but later evolved into a malware dropper. Emotet shared other banking Trojans such as TrickBot as the secondary malware payload, and ransomware strains such as Ryuk – each of which were also malicious.

Devices infected with Emotet are included in the botnet and used to share copies of the Emotet Trojan to other devices on the network and the user’s contacts by taking over the user’s email account. Infecting just one device on a company network that was infected with Emotet could quickly lead to more infections. The Trojan was also very complicated to remove, as removal of the infection would only be temporary, with other devices on the network simply re-infecting the cleaned device once it was removed.

Prior to the 2020 Presidential election in the United States, Microsoft and its partners were able to take over management of some of the infrastructure used to control and share the TrickBot Trojan. In that instance the operation was only temporarily successful, as the TrickBot gang was able to rapidly recover and bring its infrastructure back online.