Law enforcement authorities involved in Operation Endgame are actively seeking information about an individual known as Odd, who is allegedly the mastermind behind the Emotet malware. According to a video released by the agencies, Odd has used multiple aliases over the past few years, including Aron, C700, Cbd748, Ivanov Odd, Mors, Morse, and Veron. The video raises questions such as, “Who is he working with? What is his current product?” This implies that Odd is likely not operating alone and may be collaborating with others on developing new malware beyond Emotet. The cybersecurity community has tracked the activities of the Emotet threat actors using various monikers, including Gold Crestwood, Mealybug, Mummy Spider, and TA542. These names have been associated with the group behind Emotet, which has been responsible for widespread and sophisticated cyberattacks. The video suggests that law enforcement believes Odd’s activities are ongoing and that he may be involved in further cybercriminal endeavors, making it crucial to uncover his current collaborators and projects. Operation Endgame is thus focused on gathering more information to disrupt these activities and prevent further cyber threats.

ATTACK OVERVIEW:

Originally conceived as a banking Trojan, it evolved into a broader-purpose tool capable of delivering other payloads. It re-emerged in late 2021, albeit as part of low-volume campaigns, following a law enforcement operation that shut down its infrastructure.

As recently as March 2023, attack chains distributing an updated version of the malware were found to leverage Microsoft OneNote email attachments in an attempt to bypass security restrictions. No new Emotet-related activity has been observed in the wild since the start of April 2023. The call follows a sweeping coordination effort that saw four arrests and over 100 servers associated with malware loader operations to stamp out the initial access broker (IAB) ecosystem that feeds ransomware attacks.  “All these malicious services were in the arsenal of such Russian cybercrime organizations as BlackBasta, Revil, Conti and helped them attack dozens of Western companies, including medical institutions,” the National Police of Ukraine (NPU) said in a statement. Cyber-attacks involving the malware families have relied on compromised accounts to target victims and propagate malicious emails, with the botnet operators using stolen credentials obtained using remote access Trojans (RATs) and information stealers to gain initial access into networks and organizations. Bratva has also been found sharing the names of the eight people that the Bundeskriminalamt revealed, while noting that Operation Endgame is one of the “far-going consequences of leaked Conti [ransomware] logs.”

 

MALWARES INVOLVED:

• Emotet Trojan: Emotet Trojan is a modular family of polymorphic first-stage initial access malware first discovered in 2014. It is considered one of the world’s most dangerous malware strains due to its numerous unique and evasive variants. Emotet began as a banking Trojan, but since 2017 its capabilities have been limited to primarily acting as an initial access Trojan for distributing top-tier second-stage malware and ransomware such as:
• Trickbot: TrickBot (or “TrickLoader”) is a recognized banking Trojan that targets both businesses and consumers for their data, such as banking information, account credentials,personally identifiable information (PII), and even bitcoins. As a highly modular malware, it can adapt to any environment or network it finds itself in. The many tricks this Trojan has done since its discovery in 2016 are attributed to the creativity and agility of its developers. On top of stealing, TrickBot has been given capabilities to move laterally and gain a foothold within an affected network using exploits, propagate copies of itself via Server Message Block (SMB) shares, drop other malware like Ryuk ransomware, and scout for documents and media files on infected host machines.
• IcedID: IcedID (AKA BokBot) is a relatively new strain of malware first discovered in 2017 that is classified as a banking Trojan and Remote Access Trojan (RAT). It is considered to have capabilities comparable to other sophisticated banking Trojans such as Zeus, Gozi, and Dridex. IcedID is a second-stage malware reliant on other first-stage malware, such as Emotet, to gain initial access and deploy it. In addition to stealing victims’ financial information, IcedID often serves as a dropper for other second-stage malware, including ransomware, and has advanced capabilities to move laterally through a network. IcedID is primarily used by the Shatak threat actors (aka TA551) for their malware as a service (MaaS) criminal enterprise. IcedID infections are often installed by the notorious Emotet first-stage malware or by one of the largest malspam botnets in the world, the Cutwail malspam botnet. Although not listed in CISA’s top ten malware strains for 2021, IcedID is considered an advanced threat frequently updated with novel and advanced evasive techniques.
• QakBot: Qakbot (AKA Qbot or Pinkslipbot) is a modular second-stage malware with backdoor capabilities, initially purposed as a credential stealer, and has been noted by CISA as one of the top malware strains of 2021. Classified as a banking Trojan, worm, and Remote Access Trojan (RAT), Qakbot steals sensitive data and attempts to self-propagate to other systems on the network. Qakbot also provides remote code execution (RCE) capabilities, allowing attackers to perform manual attacks to achieve secondary objectives such as scanning the compromised network or injecting ransomware.

NAME OF CYBERCRIMINALS INVOLVED:

Germany’s Federal Criminal Police Office (aka the Bundeskriminalamt) has also revealed the identities of eight cyber criminals who are believed to have played crucial roles in the SmokeLoader and Trickbot malware operations. They have all since been added to the E.U. Most Wanted List.

• Andreev
• Bragin
• Cherepanov
• Chereshnev
• Gruber
• Polish
• Tesman
• Kucherov

REMEDIATION STEPS:

1. Identify the infected machines: Identifying the infected machines will help in analyzing and removing the malware much easier and is the most crucial step.
2. Disconnect the infected machines from the network: Disconnecting the infected machines from the network will help other devices to remain safe and secure and the malware will be easier to identify. If not disconnected, it may pose as a potential threat to other unaffected devices in the network as well.
3. Patch for Eternal Blues as Emotet drops Trickbot which uses Eternal Blue to propagate: This will help in protection of computer against ransomware campaigns such as WannaCry and Uiwix.
4. Disable Administrative Shares: Administrative shares pose a security vulnerability and must be disabled on the Server/Media Agents hosting the shares.

Implement advanced spam filtering and email content analysis:  It helps to intercept malicious user emails before they reach user’s mailboxes.