Party’s over for Emotet, One of the World’s Most Feared Botnets

Emotet, one of the most notorious botnets of the past decade, has been taken down in a joint operation by Europol and Eurojust in January 2021 ^[1]. A cyber security researcher also confirmed that a new module has been sent to the infected devices via Emotet update mechanism ordering the uninstallation of the malware on 25^th April 2021 ^[2]. The takedown operation and the issuance of Emotet self-uninstallation module signalled the end of this long-time cyber threat.

What is Emotet?

Emotet was first discovered as a banking Trojan in 2014. It spread via spam emails with malicious JavaScript files (i.e. malspam) that sneaked onto computers to steal sensitive information. Evolved versions used a macro-enabled document to hide the malicious script. During the past few years, Emotet constantly kept updated to improve stealthiness, persistence and add new capabilities to widen its spread. Through a fully automated spreading process, it propagated to the victims via phishing email attachments such as invoices, shipping notices, etc. Once a victim opened the attachment, the malicious script was executed. The script downloaded and installed the malware payload to the victim’s computer unknowingly.

Impact of Emotet in Recent Years

Overseas cyber security researchers found that later spreads of Emotet used malware dropper to load ransomware and other banking trojans with worm-like capabilities ^[3], which would cause actual damage to the affected systems. Among other incident, Emotet would disguise itself as an email sent by a disability welfare service provider to potential victims with  an “infection report” alike document embedding the malicious script ^[4]. In 2020, it also launched attacks using the theme of COVID-19.

Emotet attacks had been happening across the globe in the past few years, incurring significant losses for individuals, companies, and even governments. One of the most serious incidents happened in 2019 when the German city of Frankfurt was forced to shut down its IT network for a week to stop the spread of the malware ^[5].

Security Advices

Throughout the years, HKCERT has been monitoring Emotet infections in Hong Kong,  alerting related Internet Service Providers (ISPs) from time to time. Although Emotet has been taken down by law enforcement overseas, HKCERT urges both individuals and organisations to stay vigilant and pay extra attention to any malware attacks, and adopt the following preventive measures:

1. Do not open email attachments from unknown senders. Verify carefully the sender and content to make sure the email is legitimate before opening any attachment;
2. Update the systems regularly;
3. Install security software and keep the software and virus signature updated;
4. Use strong passwords; and
5. Enable two-factor authentication (2FA) whenever possible.

Reference Links:

[1] https://www.europol.europa.eu/newsroom/news/world%E2%80%99s-most-dangerous-malware-emotet-disrupted-through-global-action

[2] https://www.bleepingcomputer.com/news/security/europol-emotet-malware-will-uninstall-itself-on-april-25th/

[3] https://www.malwarebytes.com/emotet/

[4] https://www.hkcert.org/blog/watch-out-for-phishing-attacks-using-false-information-on-infectious-disease

[5] https://www.zdnet.com/article/frankfurt-shuts-down-it-network-following-emotet-infection/