Notorious Emotet botnet taken down following international police operation

Servers taken down and multiple arrests made

Emotet, the world's most dangerous malware botnet, has been disabled following a global coordinated operation that took more than two years in planning.

According to Europol, the EU's law enforcement agency, investigators have now taken control of Emotet's infrastructure and the infected machines are now being redirected towards the infrastructure controlled by the law enforcement agencies.

"This is a unique and new approach to effectively disrupt the activities of the facilitators of cyber crime," Europol said.

The agencies that took part in the global coordinated action included the US Federal Bureau of Investigation, the Royal Canadian Mounted Police, the UK's National Crime Agency, France's National Police, Germany's Federal Crime Police, the Lithuanian Criminal Police Bureau, Dutch National Police and the National Police of Ukraine.

As part of the investigation, a database containing email IDs, usernames and passwords stolen by Emotet was also uncovered by the Dutch National Police.

The Dutch National Police said that two of the three primary servers used by Emotet were operating in the Netherlands.

"A software update is placed on the Dutch central servers for all infected computer systems," Dutch National Police said.

"All infected computer systems will automatically retrieve the update there, after which the Emotet infection will be quarantined. Simultaneous action in all the countries concerned was necessary to be able to effectively dismantle the network and thwart any reconstruction."

German Federal Criminal Police Office revealed that 17 servers that acted as Emotet controllers have been seized in Germany.

According to KrebsOnSecurity, many suspects thought to be associated with Emotet cyber crime gang have been arrested across Europe.

Emotet is a sophisticated strain of malware designed to steal sensitive information, including user credentials, from infected systems. It was first identified in 2014 as banking trojan that primarily spread through malicious emails. Since that time it has evolved into a new form of malware, complete with its own botnet, and is able to remotely install malicious software on target machines.

Emotet infection usually spreads through emails containing malicious Word or Excel files masquerading as invoices, payment reports, shipping data, job opportunities and any other type of document likely to be significant for the recipient.

The documents include macros that the user needs to enable before they can do anything, with that action installing Emotet. To trick users into enabling the macros, Emotet operators use a wide variety of lures, including document templates that pretend to be created on different platforms.

According to the US Department of Homeland Security, Emotet infections have cost the US state and local governments about $1 million per incident to clean up.

In October last year, it was reported that Emotet has been using fake Windows Update templates as part of a campaign to deliver malware payloads onto victim systems.

Emotet has proved remarkably resilient to previous attempts to destroy it.

In August, researchers at Binary Defense disclosed that they identified a flaw in Emotet malware and used it to create a killswitch, which held back the spread of the malware for nearly six months. Emotet's operators eventually found out about the error in their persistence mechanism, and updated the malware to patch it.

Microsoft claimed last year that it had led a major offensive operation to take down the backend infrastructure of TrickBot malware botnet that used over 1 million infected systems to spread ransomware and steal financial and personal data of people.

However, it was observed a few days later that Emotet was installing TrickBot on some infected hosts, suggesting that it was able to survive the attempt to take down TrickBot's infrastructure.

It is not yet clear whether the cyber criminals behind Emotet will be able to rebuild their infrastructure after this latest international effort to disrupt their activities.