One of the most common practices of DDoS attacks is the use of botnets. This method of DDoS attacks has been around for years and has a proven track record of many successful DDoS attacks against organizations in all sectors. Occasionally referred to as “zombies,” botnets are groups of hijacked Internet-connected devices, infected with malware, and controlled by a remote “herder” in an undisclosed location. The infected devices can be personal devices with unaware users of IOT devices. DDoS attacks are the most common use of botnets, with threat actors commanding every machine on their botnet to simultaneously carry out a coordinated attack, in most cases, a DDoS attack. The scale of a botnet can consist of millions of bots, which enables the perpetrator to launch attacks that were previously impossible with just one machine.
Since botnets are under the control of a remote perpetrator in a method that’s referred to as Command and Control (C&C), in which each machine receives updates to change its behavior on the fly, the “bot-herder” can rent out their botnets to other attackers in underground markets. One of the main advantages of a botnet is harnessing the computing power of hundreds or thousands of machines, and because the attacks come from so many different devices, it hides the perpetrator’s origins, thus making them harder to block or trace. The most well-known botnet is Mirai, but one of the most malicious botnets in recent years was Emotet. Emotet seemed to become obsolete in early 2021 after it was shut down following a joint effort from various law enforcement agencies in several countries. But in November of 2021, it was discovered that Emotet is back, and throughout 2022 it wreaked havoc. Now, in 2023, it seems Emotet is stronger than ever.
What is The Emotet Botnet?
Emotet is both botnet and malware that can extract different kinds of data, often pertaining to finance, from infected devices. Since Emotet returned in late 2021, it has been increasing its activity, first by spreading through Trickbot, a different bot network, and now by itself. The current version of Emotet can create automated spam campaigns that spread down the network from the infected devices, extracting emails, email addresses, passwords, and other personal information, as well as taking control of the machine itself. Emotet is distributed through phishing campaigns, usually containing malicious Excel or Word documents. When users open these documents and enable macros, Emotet is downloaded and loaded into memory, and the machine is infected and added to the botnet. Several ransomware groups like Conti, Quantum Locker, and ALPHV, have been using Emotet for ransomware attacks, and in early 2023, several key DDoS threat actors have been noticed when using Emotet again as well.
Emotet’s botnets frequently update IP addresses and TCP ports used for C&C communications. Emotet also frequently changes URLs hosting its malware, sometimes using dozens of different URLs each day. In addition to brute forcing passwords, Emotet can spread to additional machines using a spam module that it installs on an infected machine, thus making it a dangerous botnet that has become very popular. The file names through which Emotet is carried seem harmless: “Electronic form.xls”, “Gmail_2022-02-11_1621.xls”, “SCAN594_00088.xls”, “Form.xls”, “payments 2022-11-02_1011, USA.xls” and many more innocent-sounding titles. In current Emotet infecting campaigns, the malware files are introduced as a new Excel attachment template that contains instructions to copy the file into the trusted “Templates” folders, as doing this bypasses Microsoft’s Protected View. Once the file is launched from the “Templates” folder, it immediately executes macros that download the Emotet malware, and the user’s machine is now part of the botnet.
Is Traditional Mitigation Useful Against Emotet?
Due to its sophisticated nature, Emotet is a hard botnet to defend against. Emotet’s Polymorphic nature and numerous modules allow it to avoid detection, and the team behind the Emotet constantly changes its tactics and techniques. Emotet downloads extra payloads in numerous steps and stays in the infected system, and the malware’s behavior makes it nearly impossible to get rid of. True to the “zombie” nature of botnets, Emotet’s malware spreads fast, adapts to threat actors’ needs, and is considered violent and aggressive. Emotet keeps raising the bar as a polymorphic botnet by adding new techniques, masking malicious strings and content, and even dropping other malware to worsen the infection. On March 7th of 2023, Emotet was observed sending new malware spam to infect victims, in a large, distributed fashion, using new evasion techniques, like Zip Bombing.
If Emotet is used to penetrate a network as the main attack vector, or as a companion to another cyber-attack, most traditional mitigation efforts might identify it. But when used as a botnet to launch a DDoS attack, there is little if anything that traditional mitigation can do to stop it. The only way to properly protect an organization’s network against an Emotet DDoS attack is by being proactive and gaining visibility into the network’s critical DDoS mitigation vulnerabilities in advance. Botnet DDoS attacks succeed because there is a hidden breach in the mitigation, and once successful, even a simple DDoS attack can shut down an organization’s business activity and services and create massive damage and downtime.
When it comes to a sophisticated attack, like an attack using Emotet, the damage can be even more severe. Thus, in order to have true DDoS resilience, an organization must have complete visibility into the dynamic DDoS attack surface. Continuous and non-disruptive DDoS testing of an organization’s network against all known and unknown attack vectors, including Emotet, is the only way to protect the organization’s environment.