In the past, the Emotet virus was thought to be the most extensively spread malware, as it was distributed through spam campaigns and infected attachments. It would then employ affected devices to conduct more spam operations and install payloads like the QakBot (Qbot) and TrickBot malware. These payloads would subsequently be used to give threat actors early access to disseminate ransomware, including Conti, Ryuk, Egregor, ProLock, and others.
According to Cryptolaemus, GData, and Advanced Intel researchers, the TrickBot virus has begun to dump an Emotet loader on affected devices. While Emotet previously installed TrickBot, the threat actors are reusing TrickBot’s infrastructure to recreate the Emotet botnet.
Joseph Roosen, an Emotet specialist and Cryptolaemus researcher, stated that they had not observed any traces of the Emotet botnet spamming or detected any infected documents containing the virus. This absence of spam activity is most likely due to the Emotet infrastructure being rebuilt from the ground up and new reply-chain emails being stolen from victims in future spam operations.
Cryptolaemus, an Emotet research organization, has begun testing the latest Emotet loader. According to Cryptolaemus researchers, so far, they’ve confirmed that the command buffer has shifted. Instead of 3-4 instructions, there are now 7. Downloaded binaries appear to provide a variety of execution choices (since it’s not just dlls).
The new Emotet dropper was also studied by Advanced Intel’s Vitali Kremez, who warned that the malware botnet’s revival would likely increase ransomware attacks. Urlhaus has samples of the Emotet loader that TrickBot dumped. The present Emotet loader DLL has a compilation timestamp of “6191769A (Sun Nov 14 20:50:34 2021),” according to Kremez.
Abuse.ch, a malware tracking non-profit organization, has provided a list of the new Emotet botnet’s command-and-control servers and strongly advises network administrators to ban the linked IP addresses.
Unfortunately, the new Emotet infrastructure is quickly expanding, with over 246 compromised devices serving as command-and-control servers already. To prevent their devices from being recruited into the newly reconstituted Emotet botnet, network administrators should block all linked IP addresses.