GOLD CRESTWOOD

GOLD CRESTWOOD is a financially motivated cybercriminal threat group responsible for the creation, distribution, and operation of the Emotet botnet. Emotet is a derivative of the Cridex (aka Bugat v4) malware and is operated by the same principals. Originally designed as banking malware, since 2016 Emotet has operated as a pay-per-install "malware loads" service delivering malware on behalf of GOLD CRESTWOOD's customers. These customers have included the operators of the Dridex (aka Bugat v5), TrickBot, Qakbot (aka Qbot), and IcedID (aka BokBot) malware families. Emotet is known for extended periods of inactivity, often occurring multiple times per year, where the botnet maintains a steady-state but does not deliver spam or malware.

Emotet largely relies on its own ability to self-spread for distribution but at times uses other botnets, such as TrickBot, to seed infections. A spam module allows Emotet to steal existing email content from victims and reply directly to threads with either a malicious Office document attachment that executes the Emotet loader or a hyperlink to an external site hosting such a document. The emails are delivered using stolen SMTP credentials transmitted via the Emotet command and control (C2) channel. Emotet can also self-spread using an SMB module that uses a hard-coded list of weak passwords against hosts on the local network. A universal plug-and-play (UPnP) module also allows Emotet infections to act as C2 servers on hosts not connected directly to the Internet.

In late January, 2021, an international law enforcement consortium conducted Operation Ladybird, an extensive technical attack against the existing Emotet botnet. The agencies were able to capture the backend C2 infrastructure of the botnet denying GOLD CRESTWOOD the ability to control existing infections. This captured infrastructure was used to distribute a modified Emotet loader configured with law enforcement controlled C2 servers and an uninstallation routine that executed on April 25, 2021.