In an operation dubbed Operation Ladybird (a hat tip to the Emotet tracking group Cryptolaemus), the prolific and dangerous Emotet botnet has been dismantled. This operation saw cooperation between police in the US, Netherlands, Germany, the UK, France, Ukraine, Canada, and Lithuania. Based on reports from Ukrainian and Netherlands law enforcement, investigators seized upper tier servers for the botnet. According to the Eurpol press release, “law enforcement and judicial authorities gained control of the infrastructure and took it down from the inside. The infected machines of victims have been redirected towards this law enforcement-controlled infrastructure. This is a unique and new approach to effectively disrupt the activities of the facilitators of cybercrime.” This is an important technical technique that prevents victim computers from suffering further harm from Emotet.
Following the published reports, Dutch LEA have also released a tool called “Emotet Checker”, which anyone to search the database of compromised email accounts by submitting their own email address to a website. If the email exists in the stolen dataset, the victim will receive an email, sent to the address they queried, that confirms that Emotet’s servers had that email address and a password in its database.
Analyst Notes
Following this takedown, Binary Defense highly recommends that organizations scour their logs and look for any connections to the following Emotet sinkhole IP addresses:
• 80.158.3.161:443
• 80.158.51.209:8080
• 80.158.35.51:80
• 80.158.63.78:443
• 80.158.53.167:80
• 80.158.62.194:443
• 80.158.59.174:8080
• 80.158.43.136:80
Connection to these IP addresses in the past 24-48 hours has a high chance of being a quarantined Emotet binary, which will indicate that the affected machine will need to be investigated for any additional payloads, such as Trickbot or Qakbot. Additionally, any suspected Emotet victim should be encouraged to use the email address checker at: https://www.politie.nl/themas/controleer-of-mijn-inloggegevens-zijn-gestolen.html to determine if they should change their email password.
Finally, Binary Defense recommends employing a 24/7 SOC as a service, such as Binary Defense’s own Security Operations Task Force, as this can help detect Emotet before it can progress to secondary payloads like Trickbot or Qakbot. Binary Defense threat researchers actively researched Emotet and its updates to ensure that we kept our clients secure against this prolific threat.
