“The world’s most dangerous malware”: This is how EMOTET was known until January 2021. How did it earn this title? Who were the hackers behind it? Find out in the first cybercrime episode of Bar Lume, a new Italian podcast on organized crime, mafia and terrorism!
Listen to the original podcast (in Italian) here
The beginning of the end
To tell this story, it is best to start from the end. It is January 27th, 2021, another cold day in the long Ukrainian winter. National police officers are preparing for a raid: they take with them bulletproof vests, balaclavas and crowbars. Before leaving, they check one last time the information they have been exchanging for months with colleagues from seven other countries: Germany, the USA, the Netherlands, the UK, France, Lithuania and Canada, under the coordination of EUROPOL and EUROJUST. Without further ado, they set off on Operation Ladybird.
The Ukrainian police raid a dingy flat full of buzzing computers, flashing servers and boxes overflowing with processors. Scattered here and there are hanks of cables and medicine packages. Hidden in a cupboard are mountains of cash, of different currencies, and a collection of small ingots. The Ukrainian police has just found a textbook hacker hideout.
The agents seize everything: computers, hard disks, mobile phones, passports, banknotes, ingots, but above all, a server. The video of the operation is posted on the website of the Ukrainian police and quickly goes viral among cybersecurity experts from around the world. Two individuals are arrested — two Ukrainian citizens who, in addition to the confiscation of assets, face up to 12 years in prison. Meanwhile, a similar scene unfolds in the Netherlands: another raid, another hacker hideout uncovered. This time, two servers were seized. The picture is complete.
The three servers seized on January 27th in Ukraine and the Netherlands were the command and control centre of EMOTET, the largest and most dangerous malware network in the world, controlled by a cybercriminal group known as “Mealybug”.
According to Europol, four factors made EMOTET so dangerous: its resilience, its adaptability, its longevity and, above all, its use by not one, but several organised groups of criminals. But let us proceed in order.
For years, the authorities were not able to eradicate EMOTET because its infrastructure — vast, complex and strongly distributed — was difficult to attack. In addition to the three command servers, there were hundreds of secondary servers dedicated to specific functions, as well as a so-called botnet, that is, a network of thousands of computers infected by the virus all over the world. Even if the authorities managed to disable one of the secondary servers or to eradicate the malware from a victim’s computer, EMOTET could then easily be reproduced and redistributed thanks to all the other devices linked to it. In particular, the botnet allowed the hackers behind EMOTET to control infected computers remotely and give access to other criminal groups — of course, for a fee. By paying a certain amount, criminal groups could in fact distribute their own malware — often banking trojans or ransomware — through EMOTET’s existing and wide botnet, saving them the trouble of penetrating the victims’ computer defences themselves.
This brilliant — or rather devilish- business model was dubbed ‘Malware-as-a-Service’.
How to neutralise such a vast and complex network? Faced with an unprecedented threat, the police also took unprecedented measures: instead of deleting EMOTET from infected machines, the cybercopes decided to neutralise it from the inside, diverting all traffic directed to the three control servers (called Epoch 1, 2 and 3) to servers managed by the police. This way, the network continues to exist, but is unusable for any criminal — unless, of course, he or she wants to be arrested.
Revolutionary as it is, the police are not going to be satisfied with this result: on April, 25th the Dutch police announced that they will eradicate EMOTET from all infected computers. How? By circulating a ‘self-destruction’ update to the entire botnet through the two Command and Control servers they seized. The ‘self-destruction’ command is a line of code that will order the malware, at exactly 12 pm local time of each infected computer, to uninstall itself.
Why not delete EMOTET immediately after the blitz, you might ask. This choice is not left to chance: the three months between the seizure of the servers and the final shutdown of the botnet give time to victim organisations to check whether EMOTET has given access to their network to other viruses, which may continue to exist after the malware’s uninstallation. Most importantly, this period gives cybercops the opportunity to study EMOTET’s infrastructure, no longer as hunters desperately seeking clues, but as insiders with access to the entire code: the holy grail of IT. Indeed, after April, 25th there will be no trace of EMOTET, and while this will bring relief to the victims, it will also mean the loss of important information for the police. And for Mealybug? Well, for the hackers it will mean the destruction of no less than seven years of ‘work’, the reconstruction of which would require titanic efforts — so titanic, hopes law enforcement, as to dissuade them from the attempt.
But who are Mealybug? The answer to this question is not straightforward.
Mealybug is a pest that feeds on plant sap and is difficult to detect. The name was given by Symantec, the US company behind the world’s best-selling antivirus, Norton. But if the name of the group is now widely known, the same does not apply to the identity of its members. Not even the names of the two Ukrainian citizens arrested on January, 27th — who are the only Mealybug members under custody so far — have been made public by the authorities. This, unfortunately, is no surprise in the world of cybercrime.
According to a study by Thomas Holt, professor of criminal law at Michigan State University, the cybercriminals who cause the most damage — estimated between USD 445 billion and USD 600 billion a year — are groups of mavericks who gather sporadically and occasionally. Almost always hidden behind a nickname, these criminals work together on specific campaigns and for a limited period, before disappearing. These groups thus don’t work the same way as traditional organised crime clans, which are characterised by a documented history and specific affiliation mechanisms.
In addition to the fluidity of cybercriminal groups, another element that emerges from the US research is the high specialisation and precise division of labour within them. Instead of relying on the complex, year-long, often intergenerational ties typical of traditional organised criminal networks, cybercriminal groups are kept together by the skills of their members. Hackers group because their combined skills enable them to commit a specific crime. For example, if one of them is particularly skilled in password encryption, and another in a certain programming language, they may work together to maximise the effectiveness of a credential theft campaign.
In the case of sophisticated networks such as Mealybug, there is usually a small group of close members acting as a reference point and a larger group of collaborators in charge, among others, of the sale of stolen information and of money laundering.
These elements lead Professor Holt and his team to an important conclusion: contrary to popular belief, the most mature cyber crime groups do not overlap with traditional mafias, such as the Russian one. Instead, they are distinct entities, with very different organisational structures, links and hierarchies, and with a much more fluid and less personal affiliation style.
Another question that arises is: how did EMOTET survive so long? Seven years is a record age for a virus, even for the most sophisticated ones. Several factors seem to have contributed to this achievement: the malware’s ability to hide its traces, making its presence invisible to many antivirus software; its ability to recognise ‘virtual machines’, that is, the simulated computer interfaces used by cybersecurity experts to study malwares; and, most importantly, EMOTET’s adaptability. In the course of its seven-year history, EMOTET has in fact changed not only its business model, but also its code: each time the information security (infosec) community or the cybercops discovered a way to combat malware, Mealybug launched an update that allowed it to continue operating undisturbed.
The origin of evil
To better understand what we are talking about, it is best to turn the calendar back a few years, more precisely to 2014, the year when, according to EUROPOL, EMOTET made its first appearance.
According to a reconstruction by Alina-Georgiana Petcu of Heimdal Security, it was Macro Trend, a US cybersecurity firm, that published in the summer of that year a report on the first, but already rather refined, version of the malware. One file stood out in the analysis: tspy.emotet.l., and so the virus was named EMOTET.
EMOTET V1 was a banking trojan, a type of malware specialised in stealing bank credentials, which targeted small banks in Austria and Germany. It worked as follows: victims — not only bank employees, but also their customers — received an email disguised as a ‘Overdue Invoice” and “Payment Remittance Advice”, prompting users to click on infected links. To reach their targets, Mealybug ran a type of phishing campaign known as malspam, a combination of ‘malware’ and ‘spam’. When one of the targets took the bait and clicked on one of the links in the email, EMOTET began to automatically download its components, including a configuration file containing user data and a DLL or Dynamic Link Library. Injected into system processes, the DLL was able to intercept and record outgoing traffic from the computer — a practice known as ‘network sniffing’. Once the browser was also infected, the DLL could compare the user’s input with the configuration file and, in case of a match, save the credentials to later steal them. The effectiveness of this system was disarming: the DLL file could steal data even while browsing pages protected by the HTTPS protocol and evade both user and antivirus controls by storing the stolen credentials in an encrypted register separate from the other malware components. In other words, even if the antivirus scanned the computer for infected files, it would not find the credentials downloaded and saved by EMOTET — simply because they were not in an infected file.
What shocked experts was not only the sophistication of the malware, but also the speed of its evolution: in autumn 2014, a new version of the virus was already circulating. EMOTET V2 added to its arsenal a component known as Automatic Transfer System (ATS), which allowed money to be stolen directly from victims’ accounts. Instead of capitalising on the effectiveness of its malware to reach new targets, Mealybug continued to keep a low profile: until the end of the year, it only attacked a few Austrian and German banks.
After a brief hiatus, the third version of EMOTET appeared in the first months of 2015, proving more difficult to identify than its predecessors thanks to a number of new features. These included a system to partially clean (and thus make invisible) the ATS script and the RSA, an old encryption algorithm that has been around since the late 1970s. Emboldened by the malware update and their impunity, the hackers decided to expand their attacks by including Swiss banks among their targets. Given their preference for financial institutions in German-speaking countries the choice seems natural, but considering Switzerland’s long tradition of banking security, this move also shows a certain degree of fearlessness. At the same time, Mealybug expanded its portfolio: in addition to money, it also started to steal email credentials and to carry out so-called DDoS (Distributed Denial of Service) attacks. A DDoS consists in flooding a computer system, often a website, with requests, overloading it to the point of blocking it completely, at least temporarily.
This brings us to 2016. In that year, EMOTET seemed to take a step backwards, limiting its attacks to German banks. Quite the opposite: Mealybug was in fact planning the most important reconfiguration of EMOTET, one turning the original trojan into a loader, that is, a malware allowing third parties to access an infected network and deploy other malware on top of it. The choice to narrow the target range may thus be explained by the desire to test the V4 before launching it on a large scale.
This is how the business model known as ‘Malware-as-a-Service’, which has made EMOTET not only infamous, but also particularly profitable, was born. Since 2016, criminal groups of various origins and affiliations have been able to pay to access EMOTET’s network and use it to spread other malware. This service became particularly attractive in 2017, when Mealybug made the virus self-replicating, thus giving it worm-like capabilities. What is the difference between a worm and the original version of EMOTET? If you remember correctly, EMOTET started out as a banking trojan. In order to be installed, a trojan requires the user to click on an infected site, link or attachment, almost always sent by email; a worm, intead, penetrates networks by exploiting vulnerabilities in software, operating systems and websites. Moreover, while trojans are limited to the devices where they are downloaded, worms have the ability to self-replicate, moving from one device to another through the daily interactions of unsuspecting users. Giving EMOTET the ability to self-replicate meant giving it the virality of a worm while preserving the credential stealing qualities of a trojan.
The popularity of the Malware-as-a-Service model was immediately apparent. In 2017, EMOTET’s infrastructure was used by several criminal groups external to Mealybug to spread various malware, including the UmbreCrypt ransomware and the banking trojans IcedID and Trickbot. The partnership between EMOTET and Trickbot was particularly perverse and was destined to cause considerable damage over the next three years. Among Trickbot victims are in fact high-profile targets like PayPal and Amazon. QBot, another Trojan with worm capabilities, became one of Mealybug’s clients, too.
The supply of EMOTET’s infrastructure to third parties also implied a considerable geographical expansion: in 2017, the virus was identified in China, Canada, the UK and Mexico, and in 2018, also in the US. EMOTET’s appearance in the US was spectacular: on February, 13th, EMOTET, by then a hybrid between a Trojan and a worm, laid siege to Allentown, a small town in Pennsylvania. The virus paralysed the municipal administration, infecting its computers and automatically reproducing itself in order to steal the credentials of as many employees as possible. Summing the bill for Microsoft’s emergency services to the subsequent work to restore the network, Petcu estimates that Allentown spent around 1 million USD to remedy the attack.
Around this time a group of cybersecurity experts from different companies start to discuss about EMOTET on Twitter. At some point a user who went by the name JayTHL suggested that they worked together to fight the virus — and he received plenty of enthusiastic responses. At first, the group of so-called ‘white hackers’ collaborated informally, but as more and more people joined in and the collaboration began to bear fruit, they decided to formalise. The first step was choosing a name: and what better option than ‘Cryptolaemus’, the ladybird famous for its ability to eradicate mealybugs? The idea was put forward by a botanist turned computer scientist, demonstrating the diversity of profiles involved in the fight against EMOTET. Cryptolaemus launched channels on Slack and Telegram, opened a Twitter account and also created a website. The Twitter account remains active, while the website was last updated on January, 25th 2021, two days before the raid by the Ukranian police. What the white hackers used to share on all these platforms are so-called ‘Indicators of Compromise’ (IOCs), such as the IP addresses of EMOTET’s servers, the object of spam mails, and the hashes of infected attachments. Hashes are alphanumeric sequences of fixed length, generated by algorithms such as MD5 or SHA, which allow a file to be uniquely identified. In other words, although hashes do not allow to see the content of a file, they do allow to determine whether two files are identical or not — a crucial piece of information for cybersecurity experts.
Just as cybercriminals, Cryptolaemus members applied a skills-based division of labour: some were responsible for breaking EMOTET’s encryption, while others for tracking the command and control servers. And like cybercriminals, they were often known only by their nicknames, albeit for a different reason: some of them, in fact, were violating the confidentiality agreements they had signed with their employers by collaborating with competitors.
The shared will to dismantle EMOTET eventually prevailed: protected by anonymity, the white hackers continued to work together. The discoveries made by the group were followed with increasing interest not only by cybersecurity companies, but also by cybercops, who borrowed their jargon. It was Cryptolaemus, in fact, who named EMOTET’s control servers ‘Epoch’, and probably inspired the name of the Ladybird operation.
Cryptolaemus, however, had a fundamental weakness: its choice to publicly share its findings meant that the enemy could also see them. Members of the group soon realised that Mealybug often changed tactics within minutes of the publication of Cryptolaemus’ posts. And so EMOTET managed to be always one step ahead of its chasers.
The last blow
The advantage of Mealybug became apparent the following year. In 2019 EMOTET brought Germany to its knees, hitting high-profile targets such as the Berlin Supreme Court, the Heise publishing house, and three major universities: the Humboldt in Berlin, the Justus Liebig in Giessen, and the Catholic University of Freiburg. The most sensational, however, were the attacks on two different cities on December, 18th: Bad Homburg and the much more important Frankfurt am Main. By striking the financial capital of continental Europe, Mealybug showed that they no longer wanted to content themselves with small fry.
In both Bad Homburg and Frankfurt, the authorities ordered a 24 hour shutdown of the city’s entire computer network, from the municipal website to the platform for purchasing public transport tickets, causing major disruption and considerable economic losses. The measure was drastic, but necessary: in light of EMOTET’s self-replicating capabilities, a complete shutdown of the infected network was the fastest and most effective way to limit the spread of the virus. In the absence of a prompt response, EMOTET would in fact be used without hesitation to deploy other malware. A case in point was the attack against the Justus Liebig University, which had been hit only 10 days earlier. 38,000 students had to queue to receive new credentials to access the university platform as the systems compromised by EMOTET had formed a botnet used to spread Ryuk, a ransomware famous for its blackmail campaigns against newspapers such as the Los Angeles Times and, more recently, hospitals in south-eastern France.
The most worrying element that emerged from the attacks in Germany was the ease of penetration of the virus: all it took was for a single employee to open a single compromised attachment, and EMOTET started to replicate on all computers of the target organisation. It became increasingly difficult to blame the victims of negligence, as Mealybug used increasingly sophisticated phishing techniques. Indeed, spamming emails had not only convincing subject lines, but were also associated with real business partners of the target organisations, and even with real financial transactions. Moreover, the text of the email persuaded users to check financial details in an attached word file, which, when opened, required the user to ‘enable changes’, thus triggering EMOTET’s macro. The macro is a series of instructions automatically implemented after a single command, in this case the click on the ‘enable changes’ pop-up. The instructions consisted in the download of EMOTET components from some compromised WordPress websites. It wasn’t only German organisations that fell victim to these spam campaigns: Italy, Poland and the UK were also targeted. And during each attack, experts’ advice is always the same: switch the network off and disconnect from the Internet.
In 2020, Mealybug attacked in waves, reaching 5% of organizations worldwide and 10% in Italy, according to an estimate by the Israeli company CheckPoint Research. The first wave began between January and February and used emails containing alleged news on the Covid-19. After opening the attachment, a pop-up appeared asking the user to update Microsoft Word: one click and the EMOTET macro was activated. With this strategy, EMOTET penetrated 18% of Italian companies over that period. The second wave of malspam arrived in July and spread the QBot and TrickBot trojans, affecting some 250,000 users between the UK and US. As usual, the operation was low-risk and highly profitable. The latest campaign dates to October 2020 and included email with ever-more creative subject lines, such as news about the health of former US President Donald Trump and information about the pandemic.
We are now back to the first chapter of our story. At the time of the raid, EMOTET was on top of the blacklist of most law enforcement agencies and cybersecurity companies around the world. And for a good reason: according to an estimate by the US Department of Homeland Security, the average cost of restoring a network after an EMOTET attack was 1 million USD, for a total, according to the Ukrainian police, of 2.5 billion USD worldwide.
Winning the war
Faced with such exorbitant numbers, it is easy to see why the infosec community considers the neutralisation of EMOTET an historic event. According to Sherrod de Grippo of US cybersecurity firm Proofpoint, two elements make EMOTET a textbook case.
First, the arrests: as mentioned earlier, tracing the members of hacker groups is often difficult, if not impossible. The internet guarantees their anonymity and allows them to operate from any country in the world. Since not all jurisdictions recognise cybercrime in the same way, it is not always possible to take legal action even if individuals are identified. Cybercriminals based in Russia, for instance, enjoy de facto impunity. Therefore, it was crucial that the Ukrainian and Dutch authorities were not only willing to arrest the members of Mealybug, but also to cooperate internationally with other law enforcement agencies to track them down. The fact that the Ukrainian police published the video of the raid was another novelty very welcome to the infosec community.
Second, the strategy to neutralise the malware: never before had the police diverted traffic from infected machines to their own servers, nor had they been able to plan the complete shutdown of a botnet. The seizure of the three main servers by the authorities completely deprived Mealybug of any control over EMOTET, as evidenced by the absence of activity since January 27th. It seems that the upcoming shutdown on April 25th will put an end to the EMOTET saga once and for all.
We have come to the end of this journey into cybercrime and, in particular, into the world’s most dangerous and longest-living malware, EMOTET. Its history is punctuated with entomological references: from the cybercriminal group Mealybug, who developed the virus back in 2014, to Cryptolaemus, the white hacker group that fought it for almost three years, ending with Ladybird, the international operation that dismantled it in January 2021.
What made EMOTET unique was its continuous ability to adapt and innovate, which led to the development of a new and increasingly popular business model in the world of cybercrime: Malware-as-a-Service. This system allowed criminal groups around the world to access the IT networks infected by EMOTET and use them to spread other viruses, allowing both parties to get rich.
We will now have to wait until 25 April to find out whether the complete uninstallation of EMOTET will be successful and put an end to the cyber attacks that have caused so much disruption and financial losses to organisations and individuals around the world.
The fight against cybercrime, however, does not end here: most of Mealybug’s members are free, equipped with the knowledge accumulated over seven years of EMOTET and, probably, a lot of capital. It is possible that they are already reorganising, or joining other groups engaged in other lucrative malware campaigns. Moreover, the demand for Malware-as-a-Service shows no sign of abating, and other loaders such as QBot and Dridex are ready to feel the void left by EMOTET. It is therefore important that, as noted by researchers at Michigan State University, collaboration between law enforcement, judicial authorities and researchers against organised cybercrime not only continues, but increases in the years to come.
This podcast was written and recorded with my old-time friend and co-host Tiziana Pezzotti