Emotet is a modular banking trojan that also functions as a downloader of other trojans and malware/ransomware.
In January 2021, law enforcement and judicial authorities worldwide moved together to perform a global takedown of the Emotet botnet, and in April 2021 they performed a coordinated, widespread uninstall of the malware from infected machines via a module they propagated in January, effectively crippling the botnet.
Resurrecting the Emotet botnet
According to the researchers, whoever is trying to bring the Emotet botnet back online has started by using the Trickbot botnet to drop the malware, and then added the tried and tested method of sending spam with attachments and links to it.
“These emails were all spoofed replies that used data from stolen email chains, presumably gathered from previously infected Windows hosts,” ISC handler Brad Duncan noted.
Emotet botmasters are counting on users to be tricked into enabling macros so that the malware can be delivered.
“Compared with its previous variants, [Emotet] now contains 3 or 4 more commands that correspond to execution options for downloaded binaries,” shared Felipe Duarte Domingues, security researcher at Appgate.
“It’s not clear if this new version is developed by the same threat actors as before, or if it’s the work of another gang with access to the source code. Takedowns like these against Emotet, TrickBot, and ransomware operations are effective, but it’s very hard to arrest or retire all the involved members. Their remaining threat actors usually rebrand themselves and/or re-use their infrastructures and malware source codes to continue to pursue their objectives. Also, the malware binaries and source codes are still in the wild, so it’s very common for other cybercrime groups to compile their own version adapted to their purposes.”
Luca Ebach, a malware researcher with G Data, says that the new Emotet variants use different encryption to hide data.
Ryan Westman, Manager, Threat Intelligence, eSentire, posited that “this may be a test run or an initial pass to increase their botnet before revealing any new capabilities.”
“Given that threat actors have previously enjoyed leveraging it, [Emotet] could regain its eminence. Another possible reason for its resurfacing could be that it will be used as a honey pot, in a similar way that the REvil servers served as a honey pot when they came back online, and it is an elaborate sting to catch cyber criminals. Again, it is early and hard to weigh in definitively, but those are some initial thoughts,” he added.
But most of the researchers agree that it will take time to grow another botnet the size of the old one.
“Emotet is a known threat, and most of its techniques and capabilities are already studied. Maintaining a botnet is easier than expanding it, as security solutions evolve and get better at detecting the infections,” Duarte Domingues noted.
“The questions IT teams need to be asking have not changed, but the level of risk due to the frequency of threat may see an uptick as this malware family builds up its operations once again. We live in a world where the threat will remain ever present, this event does not change that, but it does highlight the need for continued vigilance and investment in building resilience to cyber threats for all organizations,” says Callum Roxan, head of threat intelligence at F-Secure.
Duarte Domingues advises IT managers and cybersecurity teams to manage this new Emotet version as any other malware threat – by deploying reasonable security measures and training employees against social engineering attacks like e-mails and phishing.
“It’s important to notice that those new capabilities show the actors are focusing on executing other malware along with Emotet. Botnets like Trickbot are often used to spread and move laterally into a network, and even deploy ransomware. Adopting a ZeroTrust model is important for any organization that wants to be protected against Emotet or any other botnet/ransomware threat. By assuming all connections can be compromised and segmenting your network, you can limit the affected systems and the threat actions to a single perimeter and increase the chance of detecting malicious behaviors inside your network.”