Ten months after a coordinated law enforcement operation took down Emotet’s command and control system, the renowned botnet is mounting a return of sorts.
TrickBot is being exploited as an entry point to spread what looks to be a new version of Emotet on compromised PCs, according to a recent revelation from security researcher Luca Ebach. It was originally discovered on November 14 that a DLL file was being used to spread the malware.
Because of Emotet’s role as a forerunner to numerous high-scale data theft and ransomware attacks, Europol has labeled Emotet as the “world’s most dangerous malware”. Other malware families, such as Trickbot, QakBot, and Ryuk were able to infiltrate machines thanks to the loader activity.
Nine Emotet command-and-control servers are now active on Abuse.ch’s Feodo Tracker, which suggests that the botnet’s administrators are attempting to resurrect the network and get it working again.
Emotet’s new loader can be found there, and samples can be downloaded. Network administrators are urgently advised to blacklist any IP addresses associated with the newly active Emotet botnet.
In an update tweeted by Abuse.ch, it becomes clear that the Emotet botnet’s command-and-control (C2) infrastructure has grown from 9 active C2 servers to 14 active C2 servers in less than 24 hours, which only points that Emotet is stepping up its activities.
Malicious spam campaigns have also risen in tandem with the rise in Emotet’s activity. From what has been revealed, selected infection chains have been used to drop the loader directly with the help of Word and Excel documents with enabled Macros.
The news that Emotet is back has caused a wave of tweets and discussions in the cybersecurity circles. Professionals are commenting that the code and the infrastructure have been updated and are better secured now, which poses a new challenge to law enforcement.