Emotet malware resurfaces despite major takedown efforts in 2021

Emotet malware resurfaces despite major takedown efforts in 2021

Emotet infrastructure taken down in global law enforcement operation

After almost ten months of being taken down by international law enforcement operations, researchers have found evidence that suggests that the Emotet malware botnet is back and running.

Emotet, which first surfaced in 2014 as a banking trojan, is disseminated by malicious actors via phishing email attachments and links that, if clicked or downloaded, launch the payload which then “attempts to proliferate within a network by brute-forcing user credentials and writing to shared drives.”

In recent times, hackers have distributed Emotet to thousands of IT networks and millions of computers worldwide using COVID-19-themed phishing emails, attaching password-protected Zip files in emails to bypass email security gateways, and stealing existing email chains from an infected host to reply to the chain using a spoofed identity and attaching a malicious document to trick recipients into opening the file.

In January this year, law enforcement authorities across Europe and North America announced the dismantling of the Emotet infrastructure which included over 700 servers distributed across continents. According to Europol, the hundreds of servers that formed part of the Emotet infrastructure had different functions with some of them managing computers affected by the malware, some to spread to new ones, some to serve other criminal groups, and some to make the network more resilient against takedown attempts.

Even though the takedown operation seemed robust enough to stop the use of the Emotet infrastructure forever, cyber security researchers have, unfortunately, begun to see signs of the botnet reappearing.

According to cyber security firms Cryptolaemus, GData, and Advanced Intel, cybercriminals are now using the TrickBot infrastructure to drop a loader for Emotet on infected devices. Security researcher Luca Ebach also spotted the same malware botnet named TrickBot that might help the Emotet gang to restart their work by installing the Emotet malware on systems that had been previously infected with TrickBot. This new workaround is named ‘Operation Reacharound’ by the Cryptolaemus group.

“We used to call this Operation Party Line back when Emotet was dropped by Trickbot in the past,” a spokesperson for Cryptolaemus told The Record.

The new strain of the Emotet malware has been seen resurfacing on the third anniversary of the Cryptolaemus Twitter account, the same group that played an important role in tracking, mapping, and helping law enforcement agencies take down Emotet earlier this year.

Cryptolaemus has started analysing the new Emotet loader and told BleepingComputer that it includes new changes compared to the previous variants. “So far we can definitely confirm that the command buffer has changed. There’s now 7 commands instead of 3-4. Seems to be various execution options for downloaded binaries (since it’s not just dlls),” Cryptolaemus researchers told BleepingComputer.

So far the new strain of the Emotet malware has already infected over 246 devices. Malware tracking organization Abuse.ch has warned that the malware strain itself remains a very sophisticated and capable threat that shouldn’t be ignored. “We urge you to BLOCK these command and control servers and regularly update your block list to receive the maximum protection,” Abuse.ch wrote on Twitter earlier today.

In light of the news that Emotet has re-emerged, Callum Roxan, the head of Threat Intelligence at F-Secure told Teiss that “Emotet’s re-emergence is a notable event due to the prevalence of this malware family historically. There are indications that Emotet was initially being deployed by TrickBot and has since started sending out phishing emails as well. The emails seem to contain malicious Word, Excel, and Zip files that deploy Emotet on the victim host.

“The questions IT teams need to be asking have not changed, but the level of risk due to the frequency of threats may see an uptick as this malware family builds up its operations once again. We live in a world where the threat will remain ever-present, this event does not change that, but it does highlight the need for continued vigilance and investment in building resilience to cyber threats for all organizations,” he added.

Copyright Lyonsdown Limited 2021

Top Articles

2,500 years of Threat Intelligence

In order for threat intelligence to deliver as promised, we need to heed Sun Tzu and start with a data-driven approach.

Don’t fall foul of homoglyph web domains

Homoglyphs are characters from other scripts, which can look like Latin letters. They are used in domain names and they are very hard to spot.

Cyber attack targeted Spanish beer maker Damm; halted brewery operations

Damm, Spain's second largest beer-making company, suffered a major cyber attack targeting one of its IT systems last week.

Related Articles

[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]