Emotet, a banking-trojan-turned-botnet that primarily spread via emails, has raised its head after a hiatus of 10 months. Emotet made headlines when Europol announced that eight global law enforcement authorities disrupted it under “Operation Ladybird.”
Fresh, active Emotet botnet C2 servers are now being pushed to Feodo Tracker 💪🛡️
We urge you to *BLOCK* these C2 servers and regularly update your block list to receive the maximum protection!
— abuse.ch (@abuse_ch) November 15, 2021
#Emotet has almost doubled its botnet C2 infrastructure in the past 24 hours from 8 active C2s yesterday to 14 active C2s today 🔥🪲 We have also observed an increase of Emotet malspam today 📩
It seems to be very clear that Emotet is firing up its activity! 💥 Be prepared! 🛡️ pic.twitter.com/lY70BW1wED
— abuse.ch (@abuse_ch) November 16, 2021
As observed this time, threat actors leveraging Emotet are again using TrickBot to send spam email chains with malicious attachments and links. In the past, TrickBot originated as a banking trojan to steal sensitive financial information via brute-force attacks or credential harvesting.
The 2021 Disruption
The industry applauded the takedown of Emotet, however, with a few reservations. Experts were delighted that the successful action would help various organizations and over a million Microsoft Windows systems that were compromised with Emotet malware. But the happiness has been short-lived.
The law enforcement authorities had distributed a new Emotet module in the form of a 32-bit EmotetLoader.dll to the users of all infected computers to automatically uninstall the malware. The new variant was noticed around 14, November 2021.
Security researcher Luca Ebach of cyber.wtf, in a post shared, “On Sunday, November 14, at around 9:26pm UTC we observed on several of our Trickbot trackers that the bot tried to download a DLL to the system. According to internal processing, these DLLs have been identified as Emotet. However, since the botnet was taken down earlier this year, we were suspicious about the findings and conducted an initial manual verification. Currently, we have high confidence that the samples indeed seem to be a re-incarnation of the infamous Emotet.”
In an exclusive to CISO Mag on the re-emergence of Emotet malware, Adam Meyers, SVP of Intelligence, CrowdStrike opined, “CrowdStrike Intelligence confirms the return of Emotet malware as reported publicly by media. From our perspective this is likely a new version of MUMMY SPIDER’s Emotet. This assessment carries moderate confidence and is based on extensive code similarities to prior versions of Emotet as well as MUMMY SPIDER’s long-standing relationship with WIZARD SPIDER. Emotet is currently being distributed via TrickBot, which we associate with the eCrime adversary group: WIZARD SPIDER. To protect themselves, it is really down to organizations ensuring they identify compromised hosts quickly and remediate. Based on our research on breakout time – i.e., the time it takes for an adversary to move laterally within a victim environment – security teams should detect threats on average in 1 minute, understand them in 10 minutes and contain them in 60 minutes to be effective at stopping breaches.”
Also lending his thoughts on the revival of the botnet, Lotem Finkelstein, Director, Threat Intelligence and Research for Check Point Software Technologies, said, “Emotet, the most successful botnet in the history of cyber is making a comeback after the famous shutdown of its global operation almost 10 months ago. Emotet is responsible for the explosion of targeted ransomware we have seen over the past three years and its comeback might lead to a further increase in such attacks. It is no surprise that Trickbot and its infrastructure are being used to deploy the newly resurgent Emotet. This will not only shorten the time it would take for Emotet to build a significant enough foothold in networks around the world but it also a sign that, like in the old days, Trickbot and Emotet are united as partners in crime.”