Unlike the REvil ransomware gang, whose members were arrested in November apart from infrastructure being taken down a month ago, threat actors behind Emotet are still at large. This is possibly why the malware, which was taken down in January 2021, is back in business after 10 months, right as the holiday season gets underway.
The Emotet malware, which was widely thought to have been taken care of earlier this year by a joint global police action, has evidently resurfaced. According to multiple sources including cybersecurity researchers Brad Duncan, Kevin Beaumont, and others from G DATA, Cryptolaemus, and AdvIntel, threat actors behind Emotet have reactivated the malware and are targeting Windows users in several campaigns.
Just did a conference call with some peeps tracking Emotet.
It’s back and retooled. Code and infrastructure has had updates, it is better secured now. It must be somebody/somebodies with access to original source code.
Will lead to more ransomware operators inside orgs shortly.
— Kevin Beaumont (@GossiTheDog) November 16, 2021Opens a new window
“On Sunday, November 14, at around 9:26 pm UTC we observed on several of our Trickbot trackers that the bot tried to download a DLL to the system. According to internal processing, these DLLs have been identified as Emotet,†G Data’s Dr. Tilman Frosch wroteOpens a new window . “As per the famous duck-typing, we conclude so far: smells like Emotet, looks like Emotet, behaves like Emotet – seems to be Emotet.â€
2021-11-14: 🔥The “#EmotetOpens a new window partner ($) loader” program appears resorcing from existing #TrickBotOpens a new window infections.
📌TrickBot launched what appears to be the newer Emotet loader.
👇— Vitali Kremez (@VK_Intel) November 15, 2021Opens a new window
Notorious for information theft, the malware, described as the world’s most dangerous oneOpens a new window , is back to its spam-driven malware delivery, commonly known as malspam. But the resurgence is disconcerting considering Emotet was being used as a ransomware dropper right until its infrastructure (several hundred servers located globally) was seized in January 2021.
The creation of Emotet can be traced back to 2014. Back then, it functioned as a banking trojan designed to steal financial data. Over the years, Emotet evolved into a ‘dropper’ which hackers used to deploy second-stage ransomware. These were leveraged to exfiltrate data, encrypt devices, and compromise IT networks. Data marked for exfiltration included passwords, list of contacts, content and attachments attached to emails from browsers like Firefox, Chrome etc, and mailboxes like Outlook, Thunderbird, etc.
See More: Down With the REvil: U.S. Nabs Key Leaders in War on Notorious Ransomware Gang
For instance, Emotet was used widely by cybercriminals to infiltrate computer systems and IT networks to make way for second-stage malware such as the TrickBot and QBot ransomware families that were used to target businesses worldwide.
As a result, it inflicted heavy damage on organizations in terms of monetary costs and loss of proprietary information. An additional trait the malware, a trojan of sorts, possessed was worm-like capabilities that allowed it to spread laterally across networks.
Emotet activity increased in 2020, specifically to exploit vulnerable organizations as the COVID-19 pandemic mandated them to shift to remote work. Emotet botnets were leveraged to drop TrickBot to deliver ransomware payloads, and Qakbot Trojans to steal banking credentials and data. Hackers also started hiding Emotet in password-protected .Zip files to bypass email security gateways and target more victims worldwide.
Emotet also went under for five months in summer of 2020 before targeting users during last year’s December holiday season. After the Emotet infrastructure was taken down in January this year, remnants of Emotet were uninstalled across infected computers in April using a module created by Germany’s federal police agency Bundeskriminalamt.
Emotet’s return is also email-based. According to Duncan, the emails have attachments such as Microsoft Excel spreadsheet, Microsoft Word document, Password-protected zip archive (password: BMIIVYHZ) containing a Word document. “These emails were all spoofed replies that used data from stolen email chains, presumably gathered from previously infected Windows hosts,†wroteOpens a new window Duncan.
However, Emotet is now leveraging encryption as opposed to unencrypted connections previously. Duncan added, “Infection traffic for Emotet is similar to what we saw before the takedown in January 2021. The only real difference is Emotet post-infection C2 is now encrypted HTTPS instead of unencrypted HTTP. My infected lab host turned into a spambot trying to push out more Emotet malspam.â€
In just 24 hours since Emotet resurfaced on Sunday, November 14, Emotets active command and control servers (C2) increased from eight to to 14Opens a new window on Tuesday.
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!