Emotet takedown – Europol attacks “world’s most dangerous malware”

Not long ago, we wrote on Naked Security about a new-kid-on-the-block malware service called Buer Loader.

The easiest way to explain what the Buer Loader gang were up to was simply to say, “Buer Loader is basically a new competitor to Emotet.

If you’ve followed the history of malware in recent years, you will definitely have heard of Emotet, and you’ll have a very good idea of what happens next to Emotet victims if the malware breaches their defences.

That’s because “what happens next” could be anything – pretty much anything at all off the cybercrime menu – because Emotet is what’s known as a bot or zombie.

A bot is malware that regularly and quietly calls home to one or more command-and-control servers operated by the crooks, and fetches instructions on what to do next. (You’ll often see the term “command-and-control” abbreviated to C&C or just C2.)

Some botherders – the jargon name given to the crooks in charge of a network of zombies, known colloquially as a botnet – use the zombie computers that they control for their own immediate criminal purposes.

Botnet-triggered criminality includes: sending mass spam deliveries ; launching distributed denial of service (DDoS) attacks against companies or service providers; perpetrating click fraud involving millions of legitimate-looking ad clicks; and much more.

Emotet’s not your everyday botnet

The Emotet crew, however, generally play the game a bit differently.

They typically use the zombies under their control as a sort of content delivery network for other cybercriminals, offering what amounts to a pay-to-play service for malware distribution.

The Emotet gang does the tricky work of building booby-trapped documents or web links, picking enticing email themes based on hot topics of the day, and tricking victims into infecting themselves…

…and then sells on access to infected computers to other cybercriminals so that those crooks don’t have to do any of the initial legwork themselves.

At Christmas 2019, for example, Emotet hitched a ride on the newsworthy coat-tails of climate activist Greta Thunberg, with subject lines such as:

Please help save the planet
Friends help
Support Greta Thunberg - Time Person of the Year 2019
Greta Thunberg
the biggest demonstration
Demonstration 2019 

If you opened the document, you’d see a cleverly-worded “warning”, apparently a message from Word itself:

The “warning”, of course, is not generated by Word but is merely a page in the booby-trapped document, and the content you’re asked to enable is a Word macro – essentially a miniature app embedded in the document.

The macros used by Emotet documents are the opening gambit in the malware attack, and they initiate the next stage of the infection, typically launching a heavily disguised PowerShell command (or even a chain of disguised commands) to download and implant the Emotet malware program itself.

Once you’re infected with Emotet malware, worse is almost certain to follow if you don’t act quickly.

Back in 2019, SophosLabs researchers published a series of papers on the various stages of an Emotet attack, noting:

Emotet-infected machines routinely get infected with other financially-focused credential hijacking malware, including Qbot, Dridex, Ursnif/Gozi, Gootkit, IcedID, Azorult, Trickbot, or ransomware payloads including Ryuk, BitPaymer, and GandCrab.

Simply put, an typical Emotet infection starts badly, then gets worse, and then gets even worse than that.

The takedown

With that history in mind, we were pleased to read last week’s announcement from Europol about a co-ordinated, multinational takedown effort against the network intrastructure used by the Emotet gang:


Law enforcement and judicial authorities worldwide have this week disrupted one of most significant botnets of the past decade: EMOTET. Investigators have now taken control of its infrastructure in an international coordinated action.

This operation is the result of a collaborative effort between authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust.

That’s the good news.

The bad news is that cybercrime, to borrow a metaphor often applied to nature, abhors a vacuum, so that when one gang of cybercrooks gets shut down, others inevitably move in to try to fill the hole. (Don’t forget the rival Buer Loader gang we mentioned at the start of the article.)

Worse still, unless and until the Emotet crooks themselves are arrested and convicted, there’s every chance they’ll rebuild their illegal infrastruture and return to reclaim their own vacuum.

In fact, almost exactly a year ago, in February 2020, the Emotet crew went quiet for several months, apparently of their own accord…

…and yet, on 17 July 2020, their own special brand of booby-trapped documents once again began to appear in bulk in our spamtraps, and Emotet was back, just like that.

As SophosLabs Senior Threat Researcher Richard Cohen said at the time:

We’ve talked a lot about Emotet in the past, including showing its malware ecosystem, and providing a series of deep-dive 101s, not forgetting showing the authors venting their frustration at Sophos. [Editor’s note. The malware authors embedded a foul-mouthed anti-Sophos insult into their malware code.]

But then in February 2020, Emotet ceased production – its botnets stopped activity, and the waves of spam campaigns went silent. This isn’t the first time it’s vanished off the radar, only to rise again months later – and that’s exactly what we saw [in the middle of July 2020].

What to do?

Let’s all give our congratulations to Europol and its partners for this takedown.

But let’s also remember that it’s not yet “game over” for the Emotet malware and its ilk…

…because cybersecurity is a journey, not a destination.

For advice on how to stay safe against Emotet and other malware using similar techniques, read our article Fighting Emotet – lessons from the front line: