After a long investigation, the infrastructure of the malware "Emotet" was successfully taken down in a coordinated action by several law enforcement agencies a few weeks ago. Emotet spread via e-mails containing Office documents in which malicious macros were embedded. The CERT.at (Computer Emergency Response Team), operated by nic.at, has been helping with the "clean-up" since then.

Dangerous malware

Emotet is dangerous, very active malware that has spread mainly via malicious links or attachments in emails. One of the reasons why Emotet was so successful was that it hijacked legitimate email histories and spoofed the sender's address accordingly. Once a system was infected, it would  access stored emails as well as address books and then create replies to existing conversations. This technique made these spam emails appear much more believable and fooled even cautious users.

Infrastructure smashed in January 2021

In a coordinated effort by multiple law enforcement agencies, the network surrounding the Emotet malware was taken over and shut down in late January. In the process, the perpetrators' databases were also seized. One of them contained login data for web platforms that Emotet had stolen from victims' browsers. CERT.at received those parts of the data that could help identify the victims from its international partners; passwords were not transmitted in the process. This information was quickly passed on to the network operators so that they could inform the affected customers, and they could delete the malware from their systems. The large amount of feedback and questions that CERT.at has received since then show that the warnings were necessary and successful. 

Important step in the fight against criminal networks

Despite this successful work, vigilance is still necessary: "It is relatively certain that the leadership of the criminal network behind Emotet is still free, so the danger has not been completely eliminated. And there continue to be thousands of malware programs in addition to Emotet that operate similarly, and whose networks have not yet been neutralised. Nevertheless, this joint law enforcement action is a big step forwardin the fight against criminal networks. I am glad that we as CERT.at were able to make a contribution to this," says CERT.at team leader Wolfgang Rosenkranz.