Emotet Malware was once considered the most effective and widely spread malware in the past, using spam campaigns and malicious attachments to infect devices.
Once deployed on a device, Emotet Malware used these as hosts to perform further spam campaigns and deploy other payloads – most frequently, QakBot and Trickbot malware.
These payloads would then in turn be used to deploy a final payload, usually ransomware. These have included Ryuk, Conti, ProLock, Egregor, and many others.
At the start of 2021, an international law enforcement coalition in Europe took over the Emotet infrastructure and arrested two of the primary operators. When authorities had Emotet servers under their control, they used it to deliver modules which would uninstall Emotet Malware from all infected devices.
Yesterday, researchers from Cryptolaemus, GData, and Advanced Intel began to see TrickBot dropping a loader for Emotet Malware on infected devices, signaling a return of the notorious virus.
In the past, it was usually Emotet Malware that deployed TrickBot, however, this is the first instance of the opposite occurring. Threat actors have dubbed this method “Operation Reacharound”, and are using it to rebuild the Emotet malware botnet using the existing infrastructure of TrickBot.
Emotet Malware expert Joseph Roosen told reporters at BleepingComputer that they had not seen any signs of the Emotet botnet performing a spamming activity or found any malicious documents dropping the malware.
This lack of spamming activity is likely due to the rebuilding of the Emotet infrastructure from scratch and new reply-chain emails being stolen from victims in future spam campaigns.
Researchers at Cryptolaemus, who have long been key players in studying Emotet Malware, have begun analyzing the new Emotet loader and told reporters that it includes new changes compared to the previous variants.
“So far we can definitely confirm that the command buffer has changed. There’s now 7 commands instead of 3-4. Seems to be various execution options for downloaded binaries (since its not just dlls),” Cryptolaemus researchers stated.
Advanced Intel’s Vitali Kremez has also analyzed the new Emotet dropper and warned that the rebirth of the malware botnet would likely lead to a surge in ransomware infections.
“It is an early sign of the possible impending Emotet malware activity fueling major ransomware operations globally given the shortage of the commodity loader ecosystem,” Kremez told reporters at BleepingComputer
“It also tells us that the Emotet takedown did not prevent the adversaries from obtaining the malware builder and setting up the backend system bringing it back to life.”
Samples of the Emotet loader dropped by TrickBot can be found at Urlhaus.
Kremez stated that the current Emotet loader DLL has a compilation timestamp of “6191769A (Sun Nov 14 20:50:34 2021).”
Malware tracking non-profit organization Abuse.ch has released a list of command and control servers utilized by the new Emotet botnet and strongly suggests network admins block the associated IP addresses.
It would seem the new Emotet Malware infrastructure is going rapidly with over 246 infected devices acting as C&C servers. This number has likely ballooned at the time of writing.
Network administrators are strongly advised to block all associated IP addresses to prevent their devices from being recruited into the newly reformed Emotet botnet.
Protection From Emotet Malware
Attacks like the Conti Ransomware campaign show that cyberattacks are increasing at an exponential rate, and both government and business leaders are underprepared to face the fallout of an attack. There are several tools internet users should use to increase their online protection. One of these tools is SaferNet.
SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories
Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.