Emotet establishes a backdoor onto Windows computer systems via automated phishing emails that distribute Word documents compromised with malware. Subjects of emails and documents in Emotet campaigns are regularly altered to provide the best chance of luring victims into opening emails and installing malware regular themes include invoices, shipping notices and information about COVID-19.
Those behind the Emotet lease their army of infected machines out to other cyber criminals as a gateway for additional malware attacks, including remote access tools (RATs) and ransomware.
"The infrastructure that was used by Emotet involved several hundreds of servers located across the world, all of these having different functionalities in order to manage the computers of the infected victims, to spread to new ones, to serve other criminal groups and to ultimately make the network more resilient against takedown attempts," Europol says.
The disruption effort will pose serious short-term problems for the Emotet gang, but the group is likely to eventually reemerge, says Jason Meurer, who's a senior research engineer at Cofense. Indeed, other hacking groups operating malicious services have proven to be all too resilient despite law enforcement efforts to shutter their operations. In October 2020, for example, Microsoft and federal agencies disrupted the Trickbot operation. Within several weeks, however, the gang behind Trickbot was able to start rebuilding its network. Even if that happens, however, experts say the operation has been dealt a serious blow. "The effort is a shining example of what needs to be done in order to have any real impact on these organized cybercrime groups," Intel 471 says. "The difference between disruption and takedown boils down to criminals being put in handcuffs. It's the pinnacle of a takedown operation and the only way to have a long-term impact on the health and safety of the internet."