The Emotet malware is back, nearly ten months after law enforcement disrupted its infrastructure in an international coordinated operation.
On Sunday, researchers observed the Trickbot banking trojan downloading and executing updated Emotet binaries. Luca Ebach, researcher with German security company G Data, first observed DLLs identified as Emotet on his research team’s Trickbot trackers. After a manual verification, Ebach said researchers “have high confidence that the samples indeed seem to be a reincarnation of the infamous Emotet.”
Since then, infections have jumped, said George Glass, head of threat intelligence with Redscan, who noted that his team is currently tracking nine Emotet command-and-control (C2) servers that are now active. As part of this newly commenced Emotet spamming activity, Glass said the botnet has been stealing emails to use in reply-chain attacks, where attackers use a compromised email thread to send malicious emails.
“There have been dozens of new infections in the last 24 hours alone,” said Glass. “If the botnet can resume a large number of spam campaigns and reply-chain attacks it will certainly infect more organizations and individuals. Emotet is an ideal initial access vector for ransomware groups.”
Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, said the return of Emotet has been observed in email messages to government, non-profit and commercial organizations predominantly in the United States and Canada. The top five verticals impacted by these messages have included financial services, insurance, transportation, technology and manufacturing. Based on some of the infrastructure Proofpoint researchers observed in campaigns, the actors are leveraging bulletproof hosting providers to rescale operations, said DeGrippo.
These do not appear to be tests," said DeGrippo. "They are active campaigns.
The new samples of Emotet have been slightly updated. Emotet's communication protocol now uses the elliptic curve cryptography (ECC) for encryption of APIs, while older versions relied on RSA. Attackers are also now integrating XLS and XLM files as part of their initial delivery method, researchers said. If a victim downloads these files and enables macros, Emotet will be installed.
We continue to see thread hijacking, similar attachment names, and the use of Word documents and password protected ZIP files in delivery as previously observed," said DeGrippo. "A number of the files’ names look legitimate. The payload URLs are still distributed in sets of seven, along with the same Botnet ID generation to name a few.
"Emotet has consistently been one of the largest volume threats on the internet for years. This return is significant for the threat landscape and represents a significant threat to organizations’ security posture."
Emotet, which began as a banking trojan in 2014, eventually evolved to become a botnet that sent spam emails to victims, in order to install a collection of second-stage payloads (including TrickBot, QakBot and ZLoader) on their devices. On Jan. 27, law enforcement agencies with Canada, France, Germany, Lithuania, the Netherlands, Ukraine, the United Kingdom and the United States announced that they had cracked down on a network of hundreds of botnet servers that were supporting Emotet.
As part of this takedown effort, law enforcement identified the IP addresses of approximately 1.6 million computers worldwide that appeared to have been infected with Emotet malware (between April 1, 2020 and Jan. 17, 2021), according to the U.S. Department of Justice. Authorities later used an uninstall module, which they had previously deployed on infected devices across the world, to clean the devices of the malware.
Jérôme Segura, senior director of threat intelligence at Malwarebytes, said that takedown operations like the one in January will slow malware operators down - but only significant arrests will have a more lasting impact.
The attacker only needs time to grow their botnet back as the distribution method has always been successful in the past," said Segura. "As long as the threat actor is determined to get back into the business, there is little that can stop them.
Researchers said that organizations can leverage a variety of methods to safeguard themselves from Emotet, and other types of malware. That includes carrying out regular assessments like penetration testing, enforcing multi-factor authentication and investing in antivirus and endpoint protection and response tools to help uncover any malicious activity in its infancy.
Emotet has consistently been one of the largest volume threats on the internet for years," said DeGrippo. "This return is significant for the threat landscape and represents a significant threat to organizations’ security posture.