Emotet botnet, which has recently started its malicious activities after a gap of five months, appears to be walking along its traditional path. Like old times, it is again starting to distribute the same secondary malware.
Within a few days of returning back to life, Emotet has been observed distributing TrickBot, its old companion, again.
- The latest Emotet campaign has been running since July 17, 2020, and was also observed distributing Trickbot malware on July 20, 2020.
- Attackers launched massive spam campaigns masqueraded as payment reports, invoices, shipping information, and employment opportunities. They infected Windows machines with Emotet, which eventually downloads TrickBot malware.
- TrickBot harvests all the valuable data and then opens up a reverse shell to the Ryuk and Conti Ransomware actors. The collaboration with the Ryuk ransomware actors could allow them to access the network, steal unencrypted files, and encrypt the entire network.
Emotet-TrickBot - A threatening combo
Emotet botnet had been distributing the Trickbot since as early as October 2018, and they had been together till the beginning of the COVID-19 era.
- In March 2020, the TrickBot and Emotet trojans were found adding text from Coronavirus news stories to attempt to bypass security software that use artificial intelligence and machine learning to detect malware.
- In February 2020, an Emotet SMiShing campaign was observed using fake bank domains, which is assumed to be a targeted campaign for distributing TrickBot trojan.
Emotet, Ryuk, and TrickBot's trio not new
In April 2019, a unique malicious campaign was found targeting European and American companies, which included the concoction of Emotet and TrickBot, as well as the nascent Ryuk ransomware.
The Ryuk and Conti connection
In July 2020, it was found that Ryuk and Conti shared similarities in the malware code. So, it is believed that Conti ransomware is connected to the same Ryuk ransomware developer group based on the code reuse and unique TrickBot distribution.