Emotet, considered one of largest and most dangerous malware botnets in the past, is once again raising its head more than ten month after authorities took down its infrastructure as part of an international law enforcement operation at the beginning of 2021.
Emotet first appeared on the threat landscape as a banking trojan in 2014, but over the time the malware evolved into one of the most professional and long lasting cybercrime services that allowed cyber criminal groups to gain access to compromised networks and conduct illicit activities, such as data theft and extortion through ransomware.
The Emotet malware was delivered to victims via emails containing malicious attachments in the form of Word or Excel documents. Once a user opened one of these documents, they could be prompted to “enable macros” so that the malicious code hidden in the Word file could run and install Emotet malware on a victim’s computer.
German law enforcement used the Emotet infrastructure to deliver a module to all infected systems that instructed the malware to self-destruct on April 25.
However, over the weekend security researchers observed another botnet called Trickbot dropping a loader for the Emotet malware on infected devices.
“We used to call this Operation ReachAround back when Emotet was dropped by Trickbot in the past,” a spokesperson for Cryptolaemus, a group of security researchers who tracked Emotet in the past, told The Record.
Cryptolaemus researchers told BleepingComputer that the new Emotet loader comes with some changes compared to the previous versions. It is now able to perform 7 commands instead of 3-4, and includes various execution options for downloaded binaries (since its not just dlls).
According to Advanced Intel researcher Vitali Kremez, the rebirth of Emotet would likely lead to a surge in ransomware infections.
"It is an early sign of the possible impending Emotet malware activity fueling major ransomware operations globally given the shortage of the commodity loader ecosystem," he said.
Abuse.ch, a non-profit project that fights malware and botnets, has published a list of command and control servers used by the new Emotet botnet, and strongly recommends network administrators to block IP addresses associated with the threat.