Emotet uses Windows systems infected with TrickBot malware to make malicious entry.

CISO MAG

Emotet, a banking-trojan-turned-botnet that primarily spread via emails, has raised its head after a hiatus of 10 months. Emotet made headlines when Europol announced that eight global law enforcement authorities disrupted it under “Operation Ladybird.”

Abuse.ch released a list of botnet Command&Control servers (C&Cs), which are presently associated with Emotet and other malware.

https://platform.twitter.com/embed/Tweet.html?creatorScreenName=cisomag&dnt=false&embedId=twitter-widget-0&features=eyJ0ZndfZXhwZXJpbWVudHNfY29va2llX2V4cGlyYXRpb24iOnsiYnVja2V0IjoxMjA5NjAwLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X2hvcml6b25fdHdlZXRfZW1iZWRfOTU1NSI6eyJidWNrZXQiOiJodGUiLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X3NwYWNlX2NhcmQiOnsiYnVja2V0Ijoib2ZmIiwidmVyc2lvbiI6bnVsbH19&frame=false&hideCard=false&hideThread=false&id=1460308766767915013&lang=en&origin=https%3A%2F%2Fcisomag.eccouncil.org%2Femotet-botnet-resurfaces-via-trickbot%2F&sessionId=e98e691187f24ad9008a2c54d738c006fa5a30f9&siteScreenName=cisomag&theme=light&widgetsVersion=f001879%3A1634581029404&width=550pxhttps://platform.twitter.com/embed/Tweet.html?creatorScreenName=cisomag&dnt=false&embedId=twitter-widget-1&features=eyJ0ZndfZXhwZXJpbWVudHNfY29va2llX2V4cGlyYXRpb24iOnsiYnVja2V0IjoxMjA5NjAwLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X2hvcml6b25fdHdlZXRfZW1iZWRfOTU1NSI6eyJidWNrZXQiOiJodGUiLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X3NwYWNlX2NhcmQiOnsiYnVja2V0Ijoib2ZmIiwidmVyc2lvbiI6bnVsbH19&frame=false&hideCard=false&hideThread=false&id=1460649241454563341&lang=en&origin=https%3A%2F%2Fcisomag.eccouncil.org%2Femotet-botnet-resurfaces-via-trickbot%2F&sessionId=e98e691187f24ad9008a2c54d738c006fa5a30f9&siteScreenName=cisomag&theme=light&widgetsVersion=f001879%3A1634581029404&width=550px

As observed this time, threat actors leveraging Emotet are again using TrickBot to send spam email chains with malicious attachments and links. In the past, TrickBot originated as a banking trojan to steal sensitive financial information via brute-force attacks or credential harvesting.

 The 2021 Disruption

The industry applauded the takedown of Emotet, however, with a few reservations. Experts were delighted that the successful action would help various organizations and over a million Microsoft Windows systems that were compromised with Emotet malware. But the happiness has been short-lived.

The law enforcement authorities had distributed a new Emotet module in the form of a 32-bit EmotetLoader.dll to the users of all infected computers to automatically uninstall the malware. The new variant was noticed around 14, November 2021.

Security researcher Luca Ebach of cyber.wtf, in a post shared, “On Sunday, November 14, at around 9:26pm UTC we observed on several of our Trickbot trackers that the bot tried to download a DLL to the system. According to internal processing, these DLLs have been identified as Emotet. However, since the botnet was taken down earlier this year, we were suspicious about the findings and conducted an initial manual verification. Currently, we have high confidence that the samples indeed seem to be a re-incarnation of the infamous Emotet.”

Expert Speak

Commenting on the re-emergence of Emotet malware, Adam Meyers, SVP of Intelligence, CrowdStrike opined, “CrowdStrike Intelligence confirms the return of Emotet malware as reported publicly by media. Emotet is currently being distributed via TrickBot, which we associate with the eCrime adversary group: WIZARD SPIDER. As we suspected, the dismantling of the Emotet network by Europol in January 2021 only had a temporary effect. WIZARD SPIDER is a sophisticated eCrime group whose arsenal also includes malware such as Ryuk, Conti, and Cobalt Strike. The takeover of Emotet by WIZARD SPIDER impressively shows how resilient the eCrime milieu has become by now.”

Also lending his thoughts on the revival of the botnet, Lotem Finkelstein, Director, Threat Intelligence and Research for Check Point Software Technologies, said, Emotet, the most successful botnet in the history of cyber is making a comeback after the famous shutdown of its global operation almost 10 months ago. Emotet is responsible for the explosion of targeted ransomware we have seen over the past three years and its comeback might lead to a further increase in such attacks. It is no surprise that Trickbot and its infrastructure are being used to deploy the newly resurgent Emotet. This will not only shorten the time it would take for Emotet to build a significant enough foothold in networks around the world but it also a sign that, like in the old days, Trickbot and Emotet are united as partners in crime.”

Source: https://cisomag.eccouncil.org/emotet-botnet-resurfaces-via-trickbot/