Blog

2021 opened with a significant win for international law enforcement against organized cybercrime.
A significant battle has been won – but the security establishment is still working hard at fighting the war.

Emotet

In an impressively coordinated action by international law enforcement, investigators took control of the malicious Emotet botnet, one of the most significant organized cybercrime networks of the last decade.

Emotet began its life, back in 2014, as a ‘regular’ banking trojan – basically a software package that stole users’ banking credentials by intercepting outbound network communications to online banking sites, so the attackers could ultimately use the credentials to steal money from those accounts. Emotet entered users’ systems via spam phishing email messages purporting to be about bank transfers, invoices, or other financial transactions. It also spread itself further via users’ Outlook legitimate email accounts, to their contacts.

However, just as legitimate software developers continuously work to improve their conventional products, the cybercriminals behind Emotet continued to improve Emotet and expand its capabilities. Added capabilities included automation of money transfers from victims’ accounts; improvements to distribution and delivery mechanisms and social engineering campaigns; and to stealth mechanisms for security system detection and evasion. A more extensive BUFFERZONE article about this is available.

However, what was perhaps Emotet’s most significant development began around 2017, when it was reconfigured to work as an all-purpose loader. This means that once Emotet gains access to a computer, it can then be used to load a secondary payload. These payloads can be any kind of malware – for example, ransomware.

Emotet operators used this functionality to sell third party cybercriminals access to whole networks – botnets – comprising hundreds of infected servers. By September 2019, Emotet ran on three separate botnets. Emotet became a major resource for malware distributors. According to Europol, it became the ‘world’s most dangerous malware… the go-to solution for cybercriminals’.

Police Operation

Law enforcement organizations all over the world have teams dedicated to investigating, preventing and punishing cyber crime. And due to the international

nature of cyber crime, the organizations team up and collaborate on investigations and operations. Emotet, of course, was no exception.

Finally, in January 2021, the law enforcement agencies of eight countries (including the United States FBI, the UK National Crime Agency, and four additional European countries) cooperated in an operation coordinated by European Union law enforcement (Europol and Eurojust) to perform a takedown on Emotet botnet nodes. The authorities gained control of the networks’ infrastructure and redirected its operations.

Problem Solved?

So has this threat been eliminated? Not exactly. The achievement is noteworthy, but thinking it to be significant in the greater context of the war on malware is a misunderstanding of the market and economics of cybercrime. The as-a-service model enable cyber criminals to simply shift their operations from one platform to another.

Cyber crime is a Hydra monster: cut off one head, another grows in its place. Very shortly after the Emotet takedown, Check Point Research reported a significant rise in the occurrence of Trickbot, which the research group interpreted as reflecting a move by cyber criminals to the Trickbot platform to replace Emotet.

Trickbot has a similar history to Emotet. It, too, started as a banking trojan, and developed into a botnet and versatile modular malware platform as a service. It, too, was the target of a takedown attempt – in October 2020, by Microsoft and other telecommunications providers. That attempt was less successful, and to date Trickbot is still being widely used for a variety of malware campaigns.

Paradigm Shift: Proactive Defense by Containment and Isolation

So, do we give up? Not at all. What is needed is a paradigm shift in our thinking about the security of our endpoints and networks. We should continue battling malware, but at the same time proactively prepare for inevitable infections.

To protect against the unknown, the only effective solution is to proactively make sure that exploits can’t reach your valuable and trusted systems. BUFFERZONE provides exactly such a solution: endpoint isolation by containment. Regardless of specific attack vectors, exploited vulnerabilities, and payloads, BUFFERZONE always does the same thing: browsing sessions, email attachments, and other applications that access external, untrusted content such as unknown internet sites are kept in a virtual container, along with processes started by those sessions and anything they save or download. Contained processes cannot reach native endpoint or organizational resources such as an intranet; those are accessed only by uncontained browsing sessions and applications, which can’t have accessed untrusted sites. For when needed, BUFFERZONE includes can disarm content and securely extract data from the container. Periodically, the container is wiped clean.

Don’t wait for the next new attack. Protect your organization now.

Sources

Europol press release, World’s Most Dangerous Malware Emotet Disrupted Through Global Action, on Europol, January 27 2021

Check Point Research, February 2021’s Most Wanted Malware: Trickbot Takes Over Following Emotet Shutdown, on checkpoint.com, retrieved June 1 2021

Microsoft 365 Defender Threat Intelligence Team, Trickbot disrupted, on microsoft.com, October 12 2020

BUFFERZONE research department