Black keyboard with skull and crossbones showing Emotet malware

Emotet Malware Returns by Leveraging Trickbot’s Infrastructure and Resumes Phishing Campaigns

Security researchers at Advanced Intel, Cryptolaemus, G DATA, and SANS Institute’s Internet Storm Centre (ISC), independently observed the return of the world’s most dangerous malware Emotet.

Appearing in 2014, Emotet malware botnet evolved into a leading distributor of TrickBot, Conti, Ryuk ransomware, Egregor, QakBot banking trojan, ProLock, among others.

However, the ransomware gang closed operations for almost a year after a coordinated crackdown operation by global law enforcement agencies. In January 2021, authorities seized Emotet servers and detained two individuals involved in the operation. They also issued an uninstall command in several countries like Poland and Germany, cleaning over one million infected computers.

In October 2020, it targeted the Democratic National Congress (DNC) volunteers’ inboxes. Before its shutdown, the Emotet botnet executed aggressive phishing campaigns, targeting over 100,000 mailboxes daily to deliver TrickBot malware in December 2020.

New Emotet malware variant leverages existing TrickBot infrastructure to reboot

G DATA security researcher Luca Ebach observed TrickBot distributing an Emotet windows dynamic library (DLL) targeting previously infected computers.

According to his November 15 blog post, Ebach noted that the sample was just recently compiled on November 14 before distribution. Additionally, he found that the traffic associated with the sample was similar to one that Kaspersky associated with Emotet malware. The variant also used flattened control flows for code obfuscation as previously observed in the former Emotet malware.

However, Ebach observed that the new Emotet malware leveraged HTTPS traffic with a self-signed server certificate.

“Emotet is one of the most popular forms of malware in the past, and clearly still has some staying power,” said Saryu Nayyar, CEO at Gurucul. “While it is readily identifiable, the combination of Trickbot with Emotet is a combination that still has the ability to infect systems that aren’t well protected. Enterprises have to continue to be on the alert for malware that is delivered by known bad actors in order to combat its effects.”

Notably, Cryptolaemus researchers found that Emotet operators were trying to reconstruct by leveraging TrickBot’s existing infrastructure in “Operation Reacharound.” They also noted that the new variant contains seven commands while its predecessor had just three to four.

The Malware tracking website Abuse.ch published a list of Emotet malware command-and-control servers. However, the servers were strikingly different from those seized in January, suggesting completely new infrastructure. The website also discovered that the operators had expanded the list of C2 servers from nine to fourteen in 24 hours, indicating that they were gearing up for an activity. At least 246 infected devices were already working as C2 servers.

The researchers advised network administrators to block the IP addresses to prevent compromise by the resurgent Emotet malware variant.

According to former Microsoft researcher Kevin Beaumont, the new version of Emotet malware was better and possibly created by threat actors with the original source code.

Advanced Intel’s researcher Vitali Kremez also noted that the initial takedown did not prevent the threat actors from accessing the Emotet source code and creating a new malware variant and its infrastructure.

“Emotet was different than most access-as-a-service providers,” said James Shank, Sr. Security Evangelist and Chief Architect, Community Services at Team Cymru. “Its design led to a more redundant system than most malware. The first version’s takedown required collaboration between many companies and countries. It is too early to tell what this new version of Emotet will look like.

“It will take some time to see how Emotet rebuilds, and whether it can become the “world’s most dangerous malware” again. You can be sure that those that helped to take it down the first time are keeping watch. It doesn’t come as a surprise that Emotet resurfaced. In fact, more may wonder why it took so long.”

Adam Meyers, SVP of Intelligence at CrowdStrike, also confirmed the return of Emotet after acquisition by cybercrime group WIZARD SPIDER.

“As we suspected, the dismantling of the Emotet network by Europol in January 2021 only had a temporary effect. WIZARD SPIDER is a sophisticated eCrime group whose arsenal also includes malware such as Ryuk, Conti, and Cobalt Strike. The takeover of Emotet by WIZARD SPIDER impressively shows how resilient the eCrime milieu has become by now.”

Emotet malware phishing campaign detected

SANS ICS and MalwareBytes researchers observed an Emotet phishing campaign leveraging malicious emails containing infected Word, Excel, and zip archives. The campaign exploits stolen email reply threads without depending on TrickBot for distribution.

The emails contained captivating subjects like current news events, fake corporate memos, and invoices to trick the victims into opening them.

“Since these infections spread predominantly through email phishing campaigns, wise organizations will engage users in security awareness training and simulated testing campaigns in an effort to help them hone their skills at spotting and reporting phishing emails. In addition, tracking newly discovered command and control servers, alerting on and blocking traffic to them, can reduce the risk of infection greatly,” said Erich Kron, security awareness advocate at KnowBe4.

Cryptolaemus researchers also observed Emotet threat actors promoting malicious links for downloading infected documents.

Emotet’s return coincides with the increased frequency of ransomware attacks and the subsequent concerted global efforts to bring the perpetrators to justice.