Chris Swagler | November 18th, 2021

Emotet Malware Returns

In the past, the Emotet malware was considered the most widely distributed malware, spreading through spam campaigns and malicious attachments. Emotet infected devices then used them to perform spam campaigns and install other payloads, including QakBot (Qbot) and TrickBot malware. Emotet used the payloads to provide threat actors initial access to implement ransomware, including Ryuk, Conti, ProLock, Egregor, and others. European law enforcement and judicial organizations Europol and Eurojust coordinated an international law enforcement action taking over the Emotet infrastructure and arresting two individuals in early 2021. On April 25, 2021, German law enforcement used the infrastructure to send an Emotet module that uninstalled the malware from the infected devices.

Currently, Emotet research groups Cryptolaemus, GData, and Advanced Intel have seen the TrickBot malware dropping an Emotet loader on infected devices. In the past, Emotet would install TrickBot, but now threat actors are using a method Cryptolaemus calls “Operation Reacharound,” in which actors rebuild the botnet using existing TrickBot infrastructure. According to a Cryptolaemus researcher and Emotet expert, the group has neither seen indications of the Emotet botnet performing spamming activities nor located malicious documents dropping the malware. The lack of spamming activity likely indicates that Emotet is rebuilding its infrastructure from the ground up and stealing new reply-chain emails from victims in future spam operations.

Cryptolaemus is analyzing the new Emotet loader including new changes compared to the previous variants. Cryptolaemus researchers confirmed that the command buffer has increased from four to seven commands and has various execution options for downloaded binaries. With the analysis of the new Emotet dropper, the rebirth of the malware botnet will likely lead to an increase of ransomware infections. The shortage of the commodity loader ecosystem is an early indication of possible Emotet malware activity feeding major ransomware operations globally. Taking down Emotet did not prevent other adversaries from acquiring the malware builder and setting up the backend system to bring the malware back to life., a non-profit malware tracking organization, released a list of command-and-control servers the new Emotet botnet is using. However, the new Emotet infrastructure already has over 246 devices acting as command-and-control servers and the number is continuously growing. To prevent their devices from being recruited into the newly reformed Emotet botnet, network administrators are strongly encouraged to block all associated IP addresses.

With the sudden reappearance of old malware like Emotet and a rebuild of the botnet using existing infrastructure like TrickBot, it’s crucial that companies stay current with the latest threat landscape and update their network security posture by blocking any IP address associated with any malware. At SpearTip, our certified engineers work 24/7 at our Security Operations Centers monitoring your networks for potential malware threats like Emotet. The most effective way to protect your company’s devices and networks is being proactive. SpearTip’s ShadowSpear, our endpoint detection and response platform, is a great proactive tool to prevent malware like Emotet and block IP addresses associated with the botnet. To learn more about how SpearTip defends you from malware, reach out at [email protected].

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.