1 Feb 2021

Blogs

Emotet, now neutralised, may have friends you'll want to clean off your systems.

April 25th 2021[1] is now going to be on everyone’s mind in the Cyber Security industry.

This is the day the Emotet botnet, as we know it, would be “reset”[2]. However, the method of the reset is interesting and places CERTs, the police forces and criminals[3] in a strange interaction that may create friction within their shared end-goal of protecting end-users.

Emotet is arguably a botnet that deserves the attention it has gotten – to be taken down.

It seems that it has gained that attention from operation “Ladybird”[4] in neutering the botnet as it now stands. But what now? And what about the efforts to protect end-users by parties from the various non “law enforcement agencies”.

The amount of attention that the Emotet botnet has congregated the effort of some amazing groups of people to be able to feed details to the information security industry about what domain and connections should be deemed indicative of infected end-points. Cryptolaemus[5] is one such a group that comes to mind that provides such information. Under normal circumstances, information such as this – about indicators of compromise (IoC), are sent to the security team who then most likely blocks connections and identify affected end-points.

But this very action of trying to block connection(s) may now be working against the actions taken to neuter the Emotet botnet. The controlling servers that distribute updates of the botnet, have been seized and are now controlled by the Dutch Police[2], and the Emotet code has been altered and allowed to then have that new code distributed[4]. This new code is said to include a kill-switch, which is controlled by a date, and that date is April 25th 2021 at 12:00 and the new code is now being delivered[6].

So now we have an industry that protects by not letting end-points to connect or interact with command and control servers, and another industry hoping that there will be further interactions so that the latest version of Emotet will be downloaded that will contain the kill-switch code!

If this does not sound as complementary efforts then you may have a point for conversation. Also add to this mix – the signal sent to management and leadership teams around the world – that the botnet is neutered, may provide a false sense of security. It’s worth noting and reiterating at this point that Emotet is not a be-all and end-all malware but rather more of a platform that allows other malware to be installed[4][7][8].

Threat hunting should not be halted, rather it should be given more resources due a piece of contrarian fact. If you did not block connections with Emotet’s C2[9] then you may now have a neutered, kill-switched version of Emotet from the Dutch police – otherwise it is still lingering in its present active form. As for anything Emotet has downloaded before that neutered version is installed, the additional malware may still remain active on end-points.

Now that it is clear that threat hunting has no break from this botnet takeover, there are a few twists to this event that needs to be investigated. Although this blog piece may not be able to provide all the answers, here are some questions a takeover of a botnet raises and possible reasons behind it. 

Why the choice of April 25th 2021 at 12:00?[1][10] for the kill-switch and why should the sector wait so long?[11][12].
The idea behind such a long wait is now that the botnet has been neutered[13] there is a window to look for “…Emotet malware and see if other gangs used it to deploy other threats…” as stated by Randy Pargman to ZDNet[2]. In essence, the use of Emotet as a beacon to find other installed malware may work. What also works is that media attention on Emotet botnet takeover may incite management and leaders to provide threat hunting teams with extra resource(s) over the next two months in chasing Emotet infected end-points.

What will the kill-switch do?
The name of the sub-routine “uninstall_emotet()” [1][10] looks promising. Beyond that any service call implication of a software having a self-destruct code written by extra-judiciary entities and distributed by a botnet is beyond the scope of this article. It may be safe to say that one should get ready for service calls in case there are issues. Looking on the positive side, there are two months lee-way to find the infected end-points.

Will using a kill-switch, which alters the end-point behaviour without the owner consenting to the change, have any legal ramifications?
You may have to talk to your lawyers about any issues that deals with advice around the law of the jurisdiction within which you are operating in. Note that altering software code on an end-point without the owner’s consent may find this action foul to some regulations around some jurisdictions. Even if the nations involved in the coordinated action are in agreement to waive responsibilities; Emotet knows no boundaries.

And last but not least … 

What about the seized data from the C2’s?
Yes, the Dutch police may now possibly have all your data that the Emotet botnet exfiltrated. The Dutch police has set up a function where the entry of an email address on their site will invoke an email back to the email address tested about whether it is in the data set seized[14]. This may work for savvy individuals but enterprises may need to consider enterprise questions such as the deliberation of all email addresses of the organisation to an extra-jurisdiction law enforcement agency. Also, the collation of response(s) from that agency needs to be considered, before it gets flagged as spam or received by the user of the email account. No matter how the enterprise wants to re-route or act on the response, there will be lots of thinking and planning to be done!

The takeover of the Emotet botnet by law enforcement agency may signal the end of one botnet. Yet, today only means that this botnet is no longer a threat, but all the damage and installs it has made over time is still a clear and present threat. The clean-up process on one of the most prominent botnets of this decade has only just started.

It is hoped that after such media attention, organisations will take this opportunity to inject a bit more resources in cleaning affected end-points, and possible compromised accounts. Perhaps after the clean-up there are some resources still allocated to implement well deserved preventative and detective measures. After all – an “Ounce of prevention is worth a pound of cure!”[15].

REFERENCES: 

[1] https://blog.malwarebytes.com/threat-analysis/2021/01/cleaning-up-after-emotet-the-law-enforcement-file/
[2] https://www.zdnet.com/article/authorities-plan-to-mass-uninstall-emotet-from-infected-hosts-on-march-25-2021/
[3] CERTs, cops, and criminals Peter Zinn Sr. High Tech Crime Advisor,KLPD (National Crime Squad), NL on Monday 13th June 2011 https://www.first.org/conference/2011/program/index.html
[4] International police operation LadyBird: global botnet Emotet 27th Jan 2021 dismantled https://translate.google.com/translate?sl=auto&tl=en&u=https://www.politie.nl/nieuws/2021/januari/27/11-internationale-politieoperatie-ladybird-botnet-emotet-wereldwijd-ontmanteld.html
[5] https://paste.cryptolaemus.com/
[6] https://twitter.com/milkr3am/status/1354459859912192002
[7] https://twitter.com/Cryptolaemus1/status/1354521918775427072
[8] https://twitter.com/MalwareTechBlog/status/1354411804747681793
[9] https://twitter.com/milkr3am/status/1354473617145409545
[10] https://twitter.com/milkr3am/status/1354459859912192002
[11] https://twitter.com/t15_v/status/1354519818226032642
[12] https://twitter.com/cyberadelaide/status/1354489619795083269
[13] https://team-cymru.com/blog/2021/01/27/taking-down-emotet/
[14] https://2yx7ciusygbulydqop52nqwfpe–www-politie-nl.translate.goog/themas/controleer-of-mijn-inloggegevens-zijn-gestolen.html
[15] https://www.ushistory.org/franklin/philadelphia/fire.htm