Emotet malware is back

Sicherheit (Pexels, allgemeine Nutzung)[German]The Emotet malware (Trojan and ransomware) was quite successful and infected numerous systems. Law enforcers had managed to hack the botnet's infrastructure for distributing the malware. As of April 25, 2021, Emotet malware was automatically removed from Windows machines. However, it was not permanent, because the Emotet malware is back and building a new botnet.


Advertising

The Emotet malware

Emotet was originally a banking Trojan that was first identified by Trend Micro in June 2014. In the meantime, a complete cyber group stands behind this malware and continues to develop it. In the summer of 2019, the group even afforded itself the 'luxury' of shutting down its infrastructure to take a holiday (see CERT-Bund warns: Emotet is back, C&C servers online again).

The Emotet group has been responsible for numerous successful ransomware attacks on companies, authorities and institutions worldwide. Emotet was considered to be the most dangerous malware worldwide at the moment and infected a high number of IT systems of companies, authorities and institutions, in addition to computers of hundreds of thousands of private individuals. A search here in the blog will reveal a number of hits on emotet infections.

As a so-called "downloader", Emotet had the function of infecting a victim system unnoticed and reloading further malware, for example to manipulate online banking, to spy out stored passwords or to encrypt the system for blackmail. The use of this "botnet" created by the perpetrators, together with the reloading of any malware, was offered for a fee in the "underground economy". Therefore, Emotet's criminal business model can be called "malware-as-a-service." I have discussed the malware extensively in the articles linked at the end of the post. 

On January 2021, law enforcers were able to take over the Emotet Command & Control (C&C) servers and modify the malware reloading function via the C&C servers, install their own modules on the infected victim systems, and disable the malware functions at the same time. From then on, the victim systems could only communicate with the controlled C&C servers. On April 25, 2021, the infrastructure was shut down and the malware on infected systems was removed (see Emotet Malware has been automatically uninstalled on April 25, 2021).

Emotet is back

Now Cryptolaemus (see Cryptolaemus and the fight against Emotet) reports on Twitter,  that the malware is back. The group observed that bots are starting to spam via the so-called Epoch 4 botnet to spread the malware. So far, only attachment-based malspam with .docm or .xlsm files (actually XLSM with an AF template "Excell") or password-protected ZIPs (Operation ZipLock) has been observed.


Advertising

Emotet back

The Cryptolaemus group shares examples on various platforms according to this tweet.  Colleagues at Bleeping Computer picked up on the whole thing in the following tweet and summarized it in this article.

EMOTET Malware

Security researchers from Cryptolaemus, GData, and Advanced Intel are currently observing that the TrickBot malware drops a loader for Emotet on infected devices. However, Emotet expert and Cryptolaemus researcher Joseph Roosen told BleepingComputer that there is no evidence that the Emotet botnet is spamming, and no malicious documents have been found spreading the malware.

Bleeping Computer suspects that the lack of spamming activity is likely due to the fact that the Emotet infrastructure is being rebuilt from scratch. At the same time, new response chain emails could be stolen from victims in future spam campaigns. The Record has also published an article with details.

Similar articles:
EmoCrash protectet systems for 6 months against emotet-infections
Cryptolaemus and the fight against Emotet
Microsoft warns of massive Emotet campaign
EmoCrash protectet systems for 6 months against emotet-infections
Warning about a new Emotet-Ransomeware campaign (Sept. 2020)
Microsoft warns of massive Emotet campaign
Emotet Trojan can overload computers on the network
Emotet C&C servers deliver new malware
FAQ: Responding to an Emotet infection
Warning about a new Emotet-Ransomeware campaign (Sept. 2020)
Emotet malware comes as a supposed Word update
New Emotet Campaign during the Holidays 2020
German BKA initiate a takedown of Emotet malware infrastructure
Emotet reportedly uninstalls itself on April 25, 2021
Details of Emotet uninstallation by law enforcement officials
Emotet Malware has been automatically uninstalled on April 25, 2021
Check: Has my email address been hijacked by the Emotet malware?


Advertising

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).