Authorities Ramp Up Efforts to Capture the Mastermind Behind Emotet

Avatar
Law enforcement authorities behind Operation Endgame are seeking information related to an individual who goes by the name Odd and is allegedly the mastermind behind the Emotet malware.  Odd is also said to go by the nicknames Aron, C700, Cbd748, Ivanov Odd, Mors, Morse, Veron over the past few years, according to a video released by the agencies. “Who is he working with? What is his

Law enforcement authorities behind Operation Endgame are seeking information related to an individual who goes by the name Odd and is allegedly the mastermind behind the Emotet malware.

Odd is also said to go by the nicknames Aron, C700, Cbd748, Ivanov Odd, Mors, Morse, Veron over the past few years, according to a video released by the agencies.

“Who is he working with? What is his current product?,” the video continues, suggesting that he is likely not acting alone and may be collaborating with others on malware other than Emotet.

The threat actor(s) behind Emotet has been tracked by the cybersecurity community under the monikers Gold Crestwood, Mealybug, Mummy Spider, and TA542.

Originally conceived as a banking trojan, it evolved into a broader-purpose tool capable of delivering other payloads, along the lines of malware such as TrickBot, IcedID, QakBot, and others. It re-emerged in late 2021, albeit as part of low-volume campaigns, following a law enforcement operation that shutdown its infrastructure.

As recently as March 2023, attack chains distributing an updated version of the malware were found to leverage Microsoft OneNote email attachments in an attempt to bypass security restrictions. No new Emotet-related activity has been observed in the wild since the start of April 2023.

The call follows a sweeping coordination effort that saw four arrests and over 100 servers associated with malware loader operations such as IcedID, SystemBC, PikaBot, SmokeLoader, Bumblebee, and TrickBot taken down in an effort to stamp out the initial access broker (IAB) ecosystem that feeds ransomware attacks.

Germany’s Federal Criminal Police Office (aka the Bundeskriminalamt) has also revealed the identities of eight cyber criminals who are believed to have played crucial roles in the SmokeLoader and Trickbot malware operations. They have all since been added to the E.U. Most Wanted List.

“All these malicious services were in the arsenal of such Russian cybercrime organizations as BlackBasta, Revil, Conti and helped them attack dozens of Western companies, including medical institutions,” the National Police of Ukraine (NPU) said in a statement.

Cyber attacks involving the malware families have relied on compromised accounts to target victims and propagate malicious emails, with the botnet operators using stolen credentials obtained using remote access trojans (RATs) and information stealers to gain initial access into networks and organizations.

Data shared by Swiss cybersecurity firm PRODAFT with The Hacker News in the wake of the operation shows that criminal actors on underground forums like XSS.IS are on alert, with the moderator – codenamed bratva – urging others to be careful and check if their virtual private servers (VPSes) went down between May 27 and 29, 2024.

Bratva has also been found sharing the names of the eight people that the Bundeskriminalamt revealed, while noting that Operation Endgame is one of the “far-going consequences of leaked Conti [ransomware] logs.”

Other actors took to the forum to wonder out loud as to who might have leaked the chats and raised the possibility of a “rat” who is working with law enforcement. They also claimed that Romania and Switzerland would not share data about criminal actors residing within their borders unless it’s an “extreme threat” like terrorism.

“[The] FBI can raid anything under saying its [sic] ‘terrorism,” one user who goes by the alias phant0m said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Researcher Uncovers Flaws in Cox Modems, Potentially Impacting Millions

Next Post

Researchers Uncover RAT-Dropping npm Package Targeting Gulp Users

Related Posts

Microsoft Revamps Controversial AI-Powered Recall Feature Amid Privacy Concerns

Microsoft on Friday said it will disable its much-criticized artificial intelligence (AI)-powered Recall feature by default and make it an opt-in. Recall, currently in preview and coming exclusively to Copilot+ PCs on June 18, 2024, functions as an "explorable visual timeline" by capturing screenshots of what appears on users' screens every five seconds, which are subsequently analyzed and
Avatar
Read More

The Secrets of Hidden AI Training on Your Data

While some SaaS threats are clear and visible, others are hidden in plain sight, both posing significant risks to your organization. Wing's research indicates that an astounding 99.7% of organizations utilize applications embedded with AI functionalities. These AI-driven tools are indispensable, providing seamless experiences from collaboration and communication to work management and
Avatar
Read More