Cyber Incident Victim: Emotet botnet
Date:
Jul 2020
Location:
United States of America
Summary
The Emotet botnet's operations were disrupted when an unknown actor compromised its distribution infrastructure, replacing malicious payloads with memes and GIFs. This intervention prevented infections by denying malware delivery, leveraging reused credentials for web shells that enabled rapid payload substitution—sometimes within minutes. While the threat actors could potentially regain control through alternative methods or purchasing server access, the disruption temporarily halted their activities, with some compromised sites subsequently redirecting to online surveys instead of distributing malware.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late July 2020, the Emotet botnet’s operations were disrupted by an unidentified actor who compromised its malware distribution infrastructure. Between July 21 and July 24, the threat actor infiltrated Emotet’s network of compromised websites used to host malicious payloads, replacing them with memes and GIFs such as images of James Franco and the "Hackerman" meme. This intervention, dubbed "Emotehack," prevented infected attachments in spam campaigns from delivering functional Emotet malware to victims’ systems. When targets opened malicious documents, macros designed to retrieve payloads from these distribution sites instead downloaded non-malicious content, sparing the devices from infection. Microsoft cybersecurity researcher Kevin Beaumont observed that approximately 25% of payloads he analyzed during this period had been substituted with humorous images. The replacements occurred rapidly, with some payloads altered within two minutes of being planted by Emotet operators. This disruption provided temporary relief from Emotet’s spam campaigns while forcing the botnet operators to focus on regaining control of their infrastructure.
The breach stemmed from Emotet operators’ operational security failures, specifically their reuse of passwords for an open-source web shell deployed on compromised distribution sites. Researchers from Cryptolaemus and Beaumont noted that the threat actor had recycled credentials since at least December 2019, enabling the vigilante to access the web shells programmatically and overwrite payloads. Emotet’s infrastructure relied on websites previously compromised through traffic redirection scams, which typically lured users with fake promotions. By late July 2020, some distribution sites began redirecting to survey scams, including false offers of Samsung Galaxy S10 devices, suggesting Emotet operators might have been collaborating with other threat actors to regain access. Researchers assessed that Emotet could deploy alternative web shells with new passwords to reestablish control over their distribution network, though the immediate impact of the payload substitutions significantly degraded their operations during the intervention period.