{"id":22151,"date":"2021-11-16T07:42:09","date_gmt":"2021-11-16T06:42:09","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=22151"},"modified":"2021-11-16T07:42:09","modified_gmt":"2021-11-16T06:42:09","slug":"emotet-malware-is-back","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2021\/11\/16\/emotet-malware-is-back\/","title":{"rendered":"Emotet malware is back"},"content":{"rendered":"

\"Sicherheit[German<\/a>]The Emotet malware (Trojan and ransomware) was quite successful and infected numerous systems. Law enforcers had managed to hack the botnet's infrastructure for distributing the malware. As of April 25, 2021, Emotet malware was automatically removed from Windows machines. However, it was not permanent, because the Emotet malware is back and building a new botnet.<\/p>\n

<\/p>\n

The Emotet malware<\/h2>\n

\"\"Emotet<\/a> was originally a banking Trojan that was first identified by Trend Micro in June 2014. In the meantime, a complete cyber group stands behind this malware and continues to develop it. In the summer of 2019, the group even afforded itself the 'luxury' of shutting down its infrastructure to take a holiday (see CERT-Bund warns: Emotet is back, C&C servers online again<\/a>). <\/p>\n

The Emotet group has been responsible for numerous successful ransomware attacks on companies, authorities and institutions worldwide. Emotet was considered to be the most dangerous malware worldwide at the moment and infected a high number of IT systems of companies, authorities and institutions, in addition to computers of hundreds of thousands of private individuals. A search here in the blog will reveal a number of hits on emotet infections. <\/p>\n

As a so-called \"downloader\", Emotet had the function of infecting a victim system unnoticed and reloading further malware, for example to manipulate online banking, to spy out stored passwords or to encrypt the system for blackmail. The use of this \"botnet\" created by the perpetrators, together with the reloading of any malware, was offered for a fee in the \"underground economy\". Therefore, Emotet's criminal business model can be called \"malware-as-a-service.\" I have discussed the malware extensively in the articles linked at the end of the post.  <\/p>\n

On January 2021, law enforcers were able to take over the Emotet Command & Control (C&C) servers and modify the malware reloading function via the C&C servers, install their own modules on the infected victim systems, and disable the malware functions at the same time. From then on, the victim systems could only communicate with the controlled C&C servers. On April 25, 2021, the infrastructure was shut down and the malware on infected systems was removed (see Emotet Malware has been automatically uninstalled on April 25, 2021<\/a>).<\/p>\n

Emotet is back<\/h2>\n

Now Cryptolaemus (see Cryptolaemus and the fight against Emotet<\/a>) reports on Twitter<\/a>,  that the malware is back. The group observed that bots are starting to spam via the so-called Epoch 4 botnet to spread the malware. So far, only attachment-based malspam with .docm or .xlsm files (actually XLSM with an AF template \"Excell<\/a>\") or password-protected ZIPs (Operation ZipLock) has been observed.<\/p>\n

\"Emotet<\/a><\/p>\n

The Cryptolaemus group shares examples on various platforms according to this tweet<\/a>.  Colleagues at Bleeping Computer picked up on the whole thing in the following tweet and summarized it in this article<\/a>.<\/p>\n

\"EMOTET<\/a><\/p>\n

Security researchers from Cryptolaemus<\/a>, GData<\/a>, and Advanced Intel<\/a> are currently observing that the TrickBot malware drops a loader for Emotet on infected devices. However, Emotet expert and Cryptolaemus researcher Joseph Roosen told BleepingComputer that there is no evidence that the Emotet botnet is spamming, and no malicious documents have been found spreading the malware.<\/p>\n

Bleeping Computer suspects that the lack of spamming activity is likely due to the fact that the Emotet infrastructure is being rebuilt from scratch. At the same time, new response chain emails could be stolen from victims in future spam campaigns. The Record has also published an arti<\/a>cle with details.<\/p>\n

Similar articles:
<\/strong>EmoCrash protectet systems for 6 months against emotet-infections<\/a>
Cryptolaemus and the fight against Emotet<\/a>
Microsoft warns of massive Emotet campaign<\/a>
EmoCrash protectet systems for 6 months against emotet-infections<\/a>
Warning about a new Emotet-Ransomeware campaign (Sept. 2020)<\/a>
Microsoft warns of massive Emotet campaign<\/a>
Emotet Trojan can overload computers on the network<\/a>
Emotet C&C servers deliver new malware<\/a>
FAQ: Responding to an Emotet infection<\/a>
Warning about a new Emotet-Ransomeware campaign (Sept. 2020)<\/a>
Emotet malware comes as a supposed Word update<\/a>
New Emotet Campaign during the Holidays 2020<\/a>
German BKA initiate a takedown of Emotet malware infrastructure<\/a>
Emotet reportedly uninstalls itself on April 25, 2021<\/a>
Details of Emotet uninstallation by law enforcement officials<\/a>
Emotet Malware has been automatically uninstalled on April 25, 2021<\/a>
Check: Has my email address been hijacked by the Emotet malware?<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

[German]The Emotet malware (Trojan and ransomware) was quite successful and infected numerous systems. Law enforcers had managed to hack the botnet's infrastructure for distributing the malware. As of April 25, 2021, Emotet malware was automatically removed from Windows machines. However, … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580],"tags":[69],"class_list":["post-22151","post","type-post","status-publish","format-standard","hentry","category-security","tag-security"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/22151","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=22151"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/22151\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=22151"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=22151"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=22151"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}