As law enforcement agencies prepare to deliver the final, fatal blow to the Emotet botnet on Sunday 25 April 2021, threat analysts at Redscan have issued a reminder to security teams that they have an almost unique chance to gain valuable insight into their network security, and that the window of opportunity is closing.
Just a few days from now, one final Emotet update, Emotetloader.dll file, will be delivered to all infected devices, and will remove the Emotet malware by removing the run key in the Windows registry to ensure its modules cannot start automatically, and all servers running Emotet processes are terminated.
However, said Redscan threat intelligence analysis Mariya Grozdanova, it is important to note that this action will not remove any other malware that has infected a device through Emotet.
“This leaves security teams with only a few more days to uncover Emotet artefacts and whether their organisation has been compromised by Emotet, as well as to establish whether other related malware exists on their networks,” she said.
“Unless proper forensic analysis is conducted now, security teams will miss a unique opportunity to identify malware strains that may have the same modus operandi as Emotet, leaving them in a weaker position to defend against future attacks.”
Emotet, which began life as a fairly run-of-the-mill banking trojan back in 2014, evolved into a highly dangerous malware and ransomware-delivery botnet, and by 2020 had firmly established itself as one of the most prevalent cyber threats in the world.
Before its takedown in a coordinated international sting in January, Emotet was used by multiple cyber crime groups as part of a malware-as-a-service (MaaS) model, enabling initial access to target environments to establish persistence and infect them with other third-party malwares, including Ryuk and Trickbot.
“Emotet has been a thorn in the side of security teams for many years and has infected hundreds of thousands of devices since 2014,” said Grozdanova. “At its peak, Emotet’s infrastructure was comprised of hundreds of servers around the world, allowing operators to spread to new machines, offer MaaS and improve the resilience of its network. On Sunday 25 April, it will disappear without a trace – quite literally – for security teams.”
Although the seizure of Emotet’s infrastructure has proved highly disruptive to cyber criminals, and made it extremely hard for the current variant to continue to operate, Grozdanova cautioned against celebrating the final coup de grâce – its return cannot be ruled out.
“Unfortunately, botnets often return in some form and new variants of very familiar botnets sometimes return under a new threat actor’s control,” she said. “Some of the operators behind Emotet remain at large. It is highly likely that they are in possession of copies of the compromised data seized by the authorities, as well as other data sets that have not yet been recovered.”
Grozdanova said it remained distinctly possible that Emotet operators who evaded arrest could club together to recreate it. “Historically, Emotet’s operators used long breaks in activity to improve their malware,” she said. “This means there is a realistic possibility that Emotet’s operators will use this opportunity to make the loader malware even more resilient, for example, by using polymorphic techniques to counter future coordinated action. They could also branch off to create smaller, independent botnets using the Emotet source code.”
Whether or not they use a successor to Emotet, the lucrative nature of MaaS-type offerings means it is almost certain that more malwares will evolve this year to fill the void, using other distribution methods, such as TrickBot or QakBot, to propagate.
Regardless of the mode of infection, organisations clearly cannot afford to relax their guard, and Grozdanova advised keeping a focus on multi-layered approaches to defence, investing in next-gen antivirus systems and endpoint detection and response, as well as taking actions such as disabling macros and using sandboxes that integrate with next-gen firewalls.
Defenders can find out more about Emotet, and get more in-depth guidance on protecting themselves against malware loaders, in a Redscan whitepaper.