Most Destructive Emotet Botnet is Back after long Hibernation Period
Published on : Sunday 19-07-2020
Botnet is known as “Zombie Army” in Cybercrime world. As word “zombie” might be a good hint for you as the botnet is a network of computers which is remotely controlled by cybercriminals. Main purpose of botnet is to spread ransomware to targeted computer, laptop, mobile phone, tablet or any such device.
It has hidden nature in such a way that even victim might never come to know if his or her device is already part of a botnet.
The word “botnet” is actually a derived from the combination of two words “robot” and “network”. In case of botnet, cybercriminals perform the role of a bot master to use Trojan viruses breaching the security of several computers (home or organization or anyone) and connect those computers into a network. It is further used for malicious purposes. Bad thing is every victim’s computer on that network acts as a “bot” and further it is controlled by a cybercriminal to transmit malware, spam or even malicious content in order to launch the attack.
After around five months of silence, again dangerous Emotet Botnet is back.
This trojan-turned-botnet was first discovered in 2014. It had started its existence as a banking trojan in early days, you might have read it has targeted banks in Germany and Austria. Over the period it has shown many varying forms.
Emotet malware is also known with names as "Geodo" or "Mealybug". Due to its different spamming behavior, it is also called as "Emotet Spamming Trojan".
Why Emotet Botnet is too Dangerous?
As compared to other botnets, it is modified with additions of the modules for spam and ransomware. It is good to know that it has developed the ability to access victim’s
emails, passwords, financial information, and even victim’s Bitcoin wallets.
It has demonstrated its increasing power where the machines infected with Emotet are getting included in the botnet itself, and later used for execution of DDoS attacks or even sending out spam campaigns.
It has huge impact in cybersecurity once someone is victim of it, as a single Emotet bot acts as a very big botnet which can send millions of spam emails every day, and now days Emotet has approximately 300,000–400,000 bots like this.
It steals the real email content from victim’s inbox. It does study victim’s mail box and uses victim’s contacts as next target.
It actually starts sending emails to the victim’s contact list, and many recipients trust that email.
Once they open the email and click on the infected attachments, they become new victims of this botnet. It targets both home users and organizations, and it starts spreading.
There are two types of botnet structures, first one is client-server and another is peer-to-peer (P2P).
In their own ways, both attempts to provide the bot master with a high level of control over the “zombie” army. In the client-server model, the older of the two, the central server directly issues commands and instructions to the zombie devices.
This makes it simple to control the botnet, but also makes it easy for law enforcement agencies to track down the server. And once the server is shut down, the jig is over.
In the last few years, law enforcement agencies have detected and shut down many of these operations.
How Emotet Botnet spreads?
It is essential for you and your family or team to know how this botnet spreads.
As history states, this botnet is mostly delivered to the victim's machine through infected e-mail attachments in Word format. These word documents generally have some kind of macro code which gets executed once victim clicks it. As explained above, this email attachment comes from known source – hence mostly victim will click it.
If it is a windows machine, let's check how it technically works. After victim clicks malicious file, the trojan is generally stored as %UserProfile%\AppData\Local\dwmapi\certmgr.exe. It creates an autorun Registry key at HKCU\Software\Microsoft\Windows\CurrentVersion\Run which helps it to start the Emotet trojan when windows machine starts. Once the malware is running, it will deploy further malicious modules that steal a victim's mail, spread to other computers, or use the infected computer to send spam.
Firstly, it will to steal information about all processes running on the victim’s computer. Later it takes remote control over processes such as accounting software on a machine. There is involvement of the Command-and-Control-Server which decides which modules on victim’s machine needs to be activated. It has capability of copying numerous passwords stored on the computer.
Command and Control servers are also known as "C&C" or "C2", are used by cyber criminals or attackers to maintain communications with compromised systems within a target network. Such systems can include Computers, Smartphones and number of IoT devices.
Since last few years it is observed that the cybercriminals generally use banking Trojans like Corebot, Trickbot, Gozi or Zeus Panda. According to recent studies, it also reloads Ryuk Ransomware or similar which does an in-depth analysis of a victim organization. Such information is used for further cyberattacks.
How to avoid Emotet Botnet?
Here are few key precautions which can avoid this botnet.
- Use of anti-virus software is must for personal or office machines.
- Block email attachments which are commonly associated with many malwares.
- Only provide least privilege for relevant stakeholders.
- Implement strong password policy.
- Configure proper firewall rules.
- Email gateway filters are must.
- Block suspicious IP addresses at the firewall itself.
- Organizations should adopt security policies where any execution of macros are completely disabled.
- Cybersecurity awareness is must for all stakeholders of any organization.
It is important not to be victim of this kind of malware. Otherwise, it may lead many issues for you, your connections and your organization; being part of unknown “Zombie Army”.
Shekhar Ashok Pawar is CEO of GrassDew IT Solutions Pvt Ltd which is primarily focused on Cybersecurity Assessment & Audits, IT Consulting, Customised Software Development and Software Products. With more than 15 years of international experience, he is CISA, CEH, CHFI, MCP, Blockchain Developer, Dip Cyber Laws, CMMi Level 5 ATM & ISO 27001 LA. He is also certified H/W & S/W expert for Mobile Phones, Computers and CCTV cameras. He did Executive Management (SJMSOM, IIT-Bombay), after Engineering in Electronics & Telecommunications, Mumbai. He is also certified for "Digital Signal Processor & Applications" by Analog Devices - DSP Learning Center, IIT Madras.
He is lead contributor to GrassDewPanther @ LinkedIn which is focused on sharing global cyber threats and related news. Shekhar's recent book “Air Team Theory: Understanding 10 Types of Team Mates and Best Practices to Succeed” was published in January 2020 and is a hot-seller on Amazon.