World’s most dangerous malware EMOTET disrupted through global action

Law enforcement and judicial authorities worldwide have this week disrupted one of the most significant botnets of the past decade: EMOTET. Investigators have now taken control of its infrastructure in an international coordinated action.
This operation is the result of a collaborative effort between authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust. This operation was carried out in the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT).
EMOTET has been one of the professional and long lasting cybercrime services out there. First discovered as a banking Trojan in 2014, the malware evolved into the go-to solution for cybercriminals over the years. The EMOTET infrastructure essentially acted as a primary door opener for computer systems on a global scale. Once this unauthorised access was established, these were sold to other top level criminal groups to deploy further illicit activities such as data theft and extortion through ransomware.
Spread via Word documents
The EMOTET group managed to take email as an attack vector to a next level. Through a fully automated process, EMOTET malware was delivered to the victims’ computers via infected e-mail attachments. A variety of different lures were used to trick unsuspecting users into opening these malicious attachments. In the past, EMOTET email campaigns have also been presented as invoices, shipping notices and information about COVID-19.
All these emails contained malicious Word documents, either attached to the email itself or downloadable by clicking on a link within the email. Once a user opened one of these documents, they could be prompted to “enable macros” so that the malicious code hidden in the Word file could run and install EMOTET malware on a victim’s computer.
Attacks for hire
EMOTET was much more than just a malware. What made EMOTET so dangerous is that the malware was offered for hire to other cybercriminals to install other types of malware, such as banking Trojans or ransomwares, onto a victim’s computer.
This type of attack is called a ‘loader’ operation, and EMOTET is said to be one of the biggest players in the cybercrime world as other malware operators like TrickBot and Ryuk have benefited from it.
Its unique way of infecting networks by spreading the threat laterally after gaining access to just a few devices in the network made it one of the most resilient malware in the wild.
Disruption of EMOTET’s infrastructure
The infrastructure that was used by EMOTET involved several hundreds of servers located across the world, all of these having different functionalities in order to manage the computers of the infected victims, to spread to new ones, to serve other criminal groups, and to ultimately make the network more resilient against takedown attempts.
To severely disrupt the EMOTET infrastructure, law enforcement teamed up together to create an effective operational strategy. It resulted in this week’s action where by law enforcement and judicial authorities gained control of the infrastructure and took it down from the inside. The infected machines of victims have been redirected towards this law enforcement-controlled infrastructure. This is a unique and new approach to effectively disrupt the activities of the facilitators of cybercrime.
How to protect oneself against loaders
Many botnets like EMOTET are polymorphic in nature. This means that the malware changes its code each time it is called up. Since many antivirus programmes scan the computer for known malware codes, a code change may cause difficulties for its detection, allowing the infection to go initially undetected.
A combination of both updated cybersecurity tools (antivirus and operating systems) and cybersecurity awareness is essential to avoid falling victim to sophisticated botnets like EMOTET. Users should carefully check their email and avoid opening messages and especially attachments from unknown senders. If a message seems too good to be true, it likely is and emails that implore a sense of urgency should be avoided at all costs.
As part of the criminal investigation conducted by the Dutch National Police into EMOTET, a database containing e-mail addresses, usernames and passwords stolen by EMOTET was discovered. You can check if your e-mail address has been compromised at www.politie.nl/emocheck. As part of the global remediation strategy, in order to initiate the notification of those affected and the cleaning up of the systems, information was distributed worldwide via the network of so-called Computer Emergency Response Teams (CERTs).
The following authorities took part in this operation:
- Netherlands: National Police (Politie), National Public Prosecution Office (Landelijk Parket)
- Germany: Federal Criminal Police (Bundeskriminalamt), General Public Prosecutor's Office Frankfurt/Main (Generalstaatsanwaltschaft)
- France: National Police (Police Nationale), Judicial Court of Paris (Tribunal Judiciaire de Paris)
- Lithuania: Lithuanian Criminal Police Bureau (Lietuvos kriminalinės policijos biuras), Prosecutor’s General’s Office of Lithuania
- Canada: Royal Canadian Mounted Police
- United States: Federal Bureau of Investigation, U.S. Department of Justice, US Attorney's Office for the Middle District of North Carolina
- United Kingdom: National Crime Agency, Crown Prosecution Service
- Ukraine: National Police of Ukraine (Національна поліція України), Prosecutor General’s Office (Офіс Генерального прокурора)

ENISA release new report and training material to fight cybercrime and improve cooperation

The European Union Agency for Cybersecurity releases a new report and training material to support the cooperation among CSIRTs, Law Enforcement Agencies (LEAs) and their interaction with the judiciary.
The publications are designed to help tackle the challenges of this complex multi-stakeholder cooperation. The report, the handbook and the toolset are a set of deliverables complementing each other as follows:
- The report analyses roles, duties, competences, synergies and potential interferences across Computer Security Incident Response Teams (CSIRTs) - in particular, national and governmental ones, LE and judiciary (prosecutors and judges);
- The handbook helps a trainer explain these concepts through different scenarios;
- The toolset consists of exercises meant for trainees based on the handbook’s scenarios.
The report proposes a methodology to analyse the legal and organisational framework defining the roles and duties, the required competencies of CSIRTs and LE. It also identifies synergies and the potential interferences that may occur while engaging in the activities needed to respond to incidents of criminal nature and in fighting cybercrime.
In addition, it presents a detailed analysis focusing on Czechia, France, Germany, Luxembourg, Norway, Portugal, Romania, and Sweden. The methodology proposed can be used for a more comprehensive future analysis covering additional countries as it is based on:
- desk research;
- subject matter expert interviews;
- the segregation of duties (SoD) matrix.
This SoD matrix is also available in the ENISA repositories in GitHub, as well as the documentation on the Reference Security Incident Taxonomy Working Group (RSIT).
The RSIT working group will meet today as part of the 62nd TF-CSIRT Meeting. These are two other examples of the efforts ENISA engages in to contribute to building a bridge between CSIRTs and LE communities.
Main conclusions of the 2020 report on CSIRTs and LE cooperation include:
- The communities already engage in a number of actions meant to:
  - Avoid interferences wherever possible;
  - Create effective partnerships;
  - Use their synergies to support each other.
- However, interferences may still happen in the process of incident handling and cybercrime investigations, mainly because of the difference in purpose and mandate of each of these communities, i.e. incident mitigation (CSIRTs) compared with evidence preservation and criminal prosecution (LE and the judiciary).
- Joint training activities are organised mainly in community pairs, being either CSIRT and LE or LE and the judiciary. Such activities rarely involve the three communities. The joint training activities help the wider development of the competences required to respond to cybercrime.
- Overall, the 2019 pandemic of the COVID-19 virus did not have any significant impact on cooperation and exchanges between the three communities and their ability to function. Interaction even increased in some instances. For example, daily dialogues became more frequent in order to ensure that each community was kept informed as the situation evolved.
The response to cybercrime requires the cooperation of all actors involved. In this response, CSIRTs, LE and the judiciary perform each a different role and seek different objectives. Helping CSIRTs, LE and the judiciary understand their roles, duties and competences reciprocally will allow a closer cooperation while building on synergies and hence avoid possible interferences.
ENISA has been collecting input from the communities and compiling reports to shed light on the different aspects of the cooperation. These efforts are meant to further enhance the cooperation between CSIRTs and LE and their interaction with the judiciary, In addition, the Agency has been developing training material and co-organising the annual ENISA-EC3 workshop on CSIRT-LE Cooperation. The last edition of this event took place on 16 September 2020.
This new report and training material build on the work already completed in the area over the past. It contributed to the implementation of the ENISA programming document 2020-2022. The work conducted by ENISA in this area is planned to continue in 2021.

Cybercriminals Favourite VPN Taken Down in Global Action

The virtual private network (VPN) Safe-Inet used by the world’s foremost cybercriminals has been taken down in a coordinated law enforcement action led by the German Reutlingen Police Headquarters together with Europol and law enforcement agencies from around the world.
The Safe-Inet service was shut down and its infrastructure seized in Germany, the Netherlands, Switzerland, France and the United States. The servers were taken down, and a splash page prepared by Europol was put up online after the domain seizures. This coordinated takedown was carried out in the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT).
Active for over a decade, Safe-Inet was being used by some of the world’s biggest cybercriminals, such as the ransomware operators responsible for ransomware, E-skimming breaches and other forms of serious cybercrime.
This VPN service was sold at a high price to the criminal underworld as one of the best tools available to avoid law enforcement interception, offering up to 5 layers of anonymous VPN connections.
Law enforcement were able to identify some 250 companies worldwide which were being spied on by the criminals using this VPN. These companies were subsequently warned of an imminent ransomware attack against their systems, allowing them to take measures to protect themselves against such an attack.
The service has now been rendered inaccessible.
Investigations are ongoing in a number of countries to identify and take action against some of Safe-Inet’s users.
International police cooperation was central to the success of this investigation as the critical infrastructure was scattered across the world.
Europol’s European Cybercrime Centre (EC3) supported the investigation from the onset, bringing together all the involved countries to establish a joint strategy and to organise the intensive exchange of information and evidence needed to prepare for the final phase of the takedown.

Three arrested as INTERPOL, Group-IB and the Nigeria Police Force disrupt prolific cybercrime group

Three suspects have been arrested in Lagos following a joint INTERPOL, Group-IB and Nigeria Police Force cybercrime investigation. The Nigerian nationals are believed to be members of a wider organized crime group responsible for distributing malware, carrying out phishing campaigns and extensive Business Email Compromise scams.
The suspects are alleged to have developed phishing links, domains, and mass mailing campaigns in which they impersonated representatives of organizations. They then used these campaigns to disseminate 26 malware programmes, spyware and remote access tools, including AgentTesla, Loki, Azorult, Spartan and the nanocore and Remcos Remote Access Trojans. These programmes were used to infiltrate and monitor the systems of victim organizations and individuals, before launching scams and syphoning funds. According to Group-IB, the prolific gang is believed to have compromised government and private sector companies in more than 150 countries since 2017.
Group-IB was also able to establish that the gang is divided into subgroups with a number of individuals still at large. While investigations are still ongoing, some 50,000 targeted victims have been identified so far.
The year-long investigation, dubbed ‘Operation Falcon, saw INTERPOL’s Cybercrime and Financial Crime units work closely with Group-IB to identify and locate threats, and ultimately, assist the Nigerian Police Force, via the INTERPOL National Central Bureau in Abuja, in taking swift action.
Group-IB’s participation in the operation came under Project Gateway, a framework which enables INTERPOL to cooperate with private partners and receive threat data directly.
Craig Jones, INTERPOL’s Cybercrime Director highlighted the outstanding cooperation between all those involved in the investigation and underlined the importance of public-private relationships in disrupting virtual crimes. “This group was running a well-established criminal business model. From infiltration to cashing in, they used a multitude of tools and techniques to generate maximum profits. We look forward to seeing additional results from this operation,” he said.