ZDNet magazine journalists talked to members of the Cryptolaemus group, which includes more than 20 information security experts from all over the world, united in 2018 for a common goal: Cryptolaemus fights with Emotet malware.
Every day, the group publishes new reports, compromise indicators, IP addresses of Emotet control servers, hashes of infected files and other useful information on its website and on Twitter. Experts hope that this data will help administrators from different countries protect systems from possible Emotet infections, as well as help detect attacks in the early stages, before the malware manages to cause significant damage.In truth, to see such cooperation in the group is really great, because some of us literally work for each other’s direct competitors, but still we can work together and publish indicators of compromise, which is rare in the industry”, — says member Cryptolaemus James Quinn, a Binary Defense Analyst.
Emotet arrived back in 2014 and now, it is one of the most active threats among malware. Malware spreads predominantly with mail spam, in particular through malicious Word documents. Such letters can be masked as invoices, invoices, account security warnings, party invitations, and even information on the spread of the coronavirus. In a word, hackers are closely monitoring global trends and constantly improving their bait letters.
Although Emotet once started its way as a classic banking trojan, now the threat has greatly changed, turning into a powerful bootloader, and its operators have begun to actively cooperate with other criminal groups.
Today, Emotet comes with many modules that allow malvari to spread within the network. Recently, security experts found that for lateral movement Emotet can even act as a Wi-Fi worm.
Having penetrated the victim’s system, Emotet uses the infected machine to send spam, also installs a variety of additional malware on the device. Often these are bankers, such as Trickbot (which steals credentials, cookies, browser history, SSH keys, and so on), miners, info-dealers, also ransomware as Ryuk.
Members of the Cryptolaemus group regularly meet at Slack and Telegram, where they discuss new ways to deal with Emotet. Many of the team members cannot reveal their identities and openly state that they are in a group, as they are connected by different NDAs, and their contracts do not allow openly sharing information about threats on the Internet. Some work as IT administrators in large corporations, others are employees of companies specializing in cybersecurity.
ZDNet says that the group arose in 2018 when a U.S. system administrator, known on Twitter as JayTHL, put forward the idea of creating such a team in a group chat. Almost all those present agreed that the fight against Emotet is a good and interesting business. Gradually, the group grew, there were more participants, and they joined forces to publish indicators of compromise and work on the problem together.
Personally, I just want to help people and stop this threat”, — says Joseph Rosen, one of the few Cryptolaemus members who revealed their name, told reporters. – When in November 2017, Emotet infected the network at my work, it was possible to stop it only because we had a rather reliable VLAN scheme, and therefore lateral movement was limited, and cleaning was easy. However, this experience changed my life, and at the same time angered me.”
As for the name “Cryptolaemus”, it was created in 2018 after Symantec published a report on Emotet. The document said that the operator of the malware is someone known under the pseudonym Mealybug (a type of a”worm”, an agricultural pest). Cryptolemus is a kind of ladybugs that are used, inter alia, to destroy and reduce the number of worms. One of the team members, ps66uk, who is not only an information security specialist, but also a biologist, suggested the idea of the name to the researchers.
Both law enforcement agencies and fellow cybersecurity enthusiasts closely monitor the work of Cryptolaemus. Moreover, experts are sure that Emotet developers are watching them no less carefully.
I’m absolutely sure that they know about us and read our daily reports”, — says Rosen. – We too often watched as they change tactics just a few minutes after our publications, so that was a not a coincidence. I am absolutely sure that they are one of our many readers who read our reports as soon as they appear.”
Finally, members of the group would like to see how Emotet closes, and its creator, known as Ivan, will be behind bars. Although this is definitely still a long way off, specialists are ready at least to reduce the number of infections and thereby deprive Ivan of profit.
Therefore, some team members are engaged in reverse engineering of Emotet payloads, others monitor the botnet’s control servers, and others crack encryption and protocols related to Emotet.