Emotet Malware Appears to Be Back in Business
The Malware Is Apparently Rebuilding Its Botnet Through TrickBot.
Emotet is a kind of malware known as banking Trojans. Malspam, or spam emails carrying malware, is the most common way for it to propagate (hence the term). To persuade consumers, these communications frequently feature recognizable branding, imitating the email structure of well-known and reputable firms such as PayPal or DHL.
In the past, the Emotet virus was thought to be the most frequently distributed malware, thanks to spam operations and infected attachments.
Emotet would then utilize compromised devices to carry out more spam campaigns and install other payloads like the QakBot (Qbot) and Trickbot malware. These payloads would subsequently be utilized to give threat actors, such as Ryuk, Conti, ProLock, Egregor, and others, early access to disseminate ransomware.
An international law enforcement operation led by Europol and Eurojust took over the Emotet infrastructure and detained two people at the start of the year.
The infrastructure that was used by EMOTET involved several hundreds of servers located across the world, all of these having different functionalities in order to manage the computers of the infected victims, to spread to new ones, to serve other criminal groups, and to ultimately make the network more resilient against takedown attempts.
To severely disrupt the EMOTET infrastructure, law enforcement teamed up together to create an effective operational strategy. It resulted in this week’s action whereby law enforcement and judicial authorities gained control of the infrastructure and took it down from the inside. The infected machines of victims have been redirected towards this law enforcement-controlled infrastructure. This is a unique and new approach to effectively disrupt the activities of the facilitators of cybercrime.
In April German law enforcement utilized the infrastructure to send an Emotet module that removed the virus from afflicted devices.
The TrickBot virus recently began dumping an Emotet loader on affected devices, according to researchers from Cryptolaemus, GData, and Advanced Intel.
On Sunday, November 14, at around 9:26pm UTC we observed on several of our Trickbot trackers that the bot tried to download a DLL to the system. According to internal processing, these DLLs have been identified as Emotet. However, since the botnet was taken down earlier this year, we were suspicious about the findings and conducted an initial manual verification. Please find first results and IOCs below. Currently, we have high confidence that the samples indeed seem to be a re-incarnation of the infamous Emotet.
While Emotet previously installed TrickBot, the threat actors are now reusing TrickBot’s infrastructure to recreate the Emotet botnet.
This absence of spam activity is most likely due to the Emotet infrastructure being rebuilt from the ground up, as well as new reply-chain emails being stolen from victims in future spam operations.
Cryptolaemus, an Emotet research organization, studied the latest Emotet loader and told BleepingComputer that it had additional features compared to earlier versions.
So far we can definitely confirm that the command buffer has changed. There’s now 7 commands instead of 3-4. Seems to be various execution options for downloaded binaries (since its not just dlls).