Security News

A nascent malware campaign has been spotted co-opting Android devices into a botnet with the primary purpose of carrying out distributed denial-of-service attacks. Called "Matryosh" by Qihoo 360's Netlab researchers, the latest threat has been found reusing the Mirai botnet framework and propagates through exposed Android Debug Bridge interfaces to infect Android devices and ensnare them into its network.

A report released Wednesday by security firm Digital Shadows looks at how such an effort was orchestrated to put a seeming end to the infamous Emotet malware. On Jan. 27, the European Union Agency for Law Enforcement Cooperation revealed that a global coalition of law enforcement and judicial authorities across several countries had disrupted Emotet through an endeavor known as "Operation Ladybird."

Following a takedown operation earlier this month, authorities are taking steps towards cleaning up systems infected with the Emotet malware. Serving as a malware loader, Emotet has been associated with the distribution of well-known malware families, including TrickBot and Ryuk ransomware, among others.

Emotet establishes a backdoor onto Windows computer systems via automated phishing emails that distribute Word documents compromised with malware. Subjects of emails and documents in Emotet campaigns are regularly altered to provide the best chance of luring victims into opening emails and installing malware-regular themes include invoices, shipping notices and information about COVID-19.

EU police agency Europol has boasted of taking down the main botnet powering the Emotet trojan-cum-malware dropper, as part of a multinational police operation that included raids on the alleged operators' homes in the Ukraine. "To severely disrupt the EMOTET infrastructure, law enforcement teamed up together to create an effective operational strategy. It resulted in this week's action whereby law enforcement and judicial authorities gained control of the infrastructure and took it down from the inside," said Europol in a jubilant statement this afternoon.

Authorities have managed to disrupt the infrastructure of the Emotet botnet, as part of an international effort of law enforcement agencies across Europe and North America. One of the most prevalent botnets over the past decade, Emotet first emerged in 2014 as a banking Trojan, but evolved into a malware downloader used by many cybercriminals looking to spread their malicious payloads.

The infrastructure of today's most dangerous botnet built by cybercriminals using the Emotet malware was taken down following an international coordinated action coordinated by Europol and Eurojust. The Emotet malware was first spotted as a banking Trojan in 2014 and it has evolved into a botnet used by the TA542 threat group to deploy second-stage malware payloads.

Law enforcement and judicial authorities worldwide have effected a global takedown of the Emotet botnet, Europol announced today. "The Emotet infrastructure essentially acted as a primary door opener for computer systems on a global scale. Once this unauthorised access was established, these were sold to other top-level criminal groups to deploy further illicit activities such data theft and extortion through ransomware. Investigators have now taken control of its infrastructure in an international coordinated action," they explained.

A recently identified piece of malware is targeting Linux devices to ensnare them into a botnet capable of malicious activities such as distributed denial of service and crypto-mining attacks. Dubbed FreakOut, the malware is infecting devices that haven't yet received patches for three relatively new vulnerabilities, including one that was made public earlier this month.

An ongoing malware campaign has been found exploiting recently disclosed vulnerabilities in network-attached storage devices running on Linux systems to co-opt the machines into an IRC botnet for launching distributed denial-of-service attacks and mining Monero cryptocurrency. Regardless of the vulnerabilities exploited, the end goal of the attacker appears to be to download and execute a Python script named "Out.py" using Python 2, which reached end-of-life last year - implying that the threat actor is banking on the possibility that that victim devices have this deprecated version installed.