Researchers from multiple security agencies have observed the return of the infamous Emotet botnet. The TrickBot malware was found dropping a loader for Emotet on infected systems.

What happened?

Researchers from Advanced Intel, GData, and Cryptolaemus have observed several new changes in the new Emotet loader in comparison to previous variants. 
  • These include a changed command buffer; it now offers seven commands instead of its usual three or four.
  • Moreover, it has multiple execution options for downloaded binaries.
  • The researchers are warning that the rebirth of the botnet would increase ransomware infections.

Possible propagation methods

Researchers have not seen any evidence of Emotet sending spam emails or discovered any malicious documents delivering the malware, which were the typical methods used to spread Emotet in the past.
  • The possible reason behind the lack of spamming activity is believed to be the rebuilding effort of Emotet infrastructure. 
  • Instead of Emotet installing TrickBot (the historical way), threat actors are using a method called Operation Reacharound to rebuild the Emotet botnet by leveraging the existing infrastructure of TrickBot.
  • Additionally, it is suspected that new reply-chain emails are being stolen for future spam campaigns.

Earlier takedown attempts

  • In the first quarter of this year, Europol and Eurojust took over the infrastructure of Emotet and two individuals were arrested. 
  • In April, German law enforcement delivered an Emotet module that uninstalled the threat from infected devices.

What to do?

The new Emotet infrastructure is growing fast, with 246 infected devices already acting as C2 servers. Therefore, rapid action is the need of the hour. (a non-profit organization) released a list of C2 servers used by the new Emotet botnet and experts strongly recommend admins block any associated IP addresses.

Cyware Publisher