[German]A group of security researchers and administrators are trying to fight agains attacks by emotet malware for some time. Now an article with an inteview about this group has been published. I find interesting the references to the group of security researchers acting under the name Cryptolaemus, which also publishes updated information about C&C servers.
The Emotet malware
Emotet was originally a banking Trojan that was first identified by Trend Micro in June 2014. In the meantime, a complete cyber group stands behind this malware and continues to develop it. In the summer of 2019, the group even afforded itself the ‘luxury’ of shutting down its infrastructure to take a holiday (see CERT-Bund warns: Emotet is back, C&C servers online again).
Since the end of 2018, Emotet is also able to read and use content from emails. This increases the danger as this email address is used to find new victims. Recipients will subsequently receive emails with authentic-looking but fictitious content from senders they have previously been in contact with.
Since the names and e-mail addresses of sender and recipient are consistent with previous e-mails in subject, salutation and signature, such e-mails also enticed sensitized users to open the harmful file attachment or the link contained in the message.
The group of cyber criminals behind Emotet use this to deliver new malicious functions to encrypt data as ransomware. Many companies and organizations are victims of Emotet infections. A search here in the blog will reveal a number of hits on emotet infections.
In individual cases, this led to failures of the entire IT infrastructure and to restrictions of critical business processes. As this results in damages amounting to millions, CERT-Bund and the BSI explicitly warn against this malware (see CERT-Bund/BSI Warning about Emotet-Trojan/Ransomware).
The Battle of the Cryptolaemus group against Emotet
Cryptolaemus are ladybirds that develop an irrepressible appetite for aphids. And the name of this animal species has been choosen as the name of a group of security researchers and administrators who follow emote development, publish information and countermeasures, and thus massively disrupt emote campaigns. Catalin Cimpanu conducted an interview with the group and published it as an article on ZDNet.
— Catalin Cimpanu (@campuscodi) February 29, 2020
For example, it describes what an emotet-infection means today. If an emote infection exists, it usually means that the malware is trying to spread from the originally infected system throughout the network. In the meantime, Emotet even uses a new method of spreading via WiFi connections that is not available in any other malware operation.
On the one hand, the information posted by Catalin Cimpanu about the group in the interview is quite nice. However, I spontaneously found the reference to their Twitter channel (@Cryptolaemus1), where information and emote news are posted, exciting. And even more exciting is the group’s website on Pastebin, where updates are posted almost daily. There you can find e.g. updated lists of emotet C2 servers and RSA keys. Helpful for administrators who want to prevent Emotet from working. Information on how to react in case of an infection can be found in the blog post FAQ: Responding to an Emotet infection.
CERT-Bund/BSI Warning about Emotet-Trojan/Ransomware
FAQ: Responding to an Emotet infection
Emotet C&C servers deliver new malware
CERT-Bund warns: Emotet is back, C&C servers online again
Emotet ransomware infection hits German Kraus-Maffei