Cybersecurity (opens in new tab) professionals have once again begun to see threat actors drop malware (opens in new tab) in a bid to revive the infamous Emotet botnet.
In January this year, law enforcement agencies in Europe and North America joined forces as part of a coordinated effort to disrupt and take down (opens in new tab) the Emotet botnet.
However, multiple security vendors and experts, including Cryptolaemus (opens in new tab), GData (opens in new tab), and Advanced Intel (opens in new tab) have detected activity that points to Emotet’s imminent return.
We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.
>> Click here to start the survey in a new window (opens in new tab) <<
“On Sunday, November 14, at around 9:26pm UTC we observed on several of our Trickbot trackers that the bot tried to download a DLL to the system. According to internal processing, these DLLs have been identified as Emotet….Currently, we have high confidence that the samples indeed seem to be a re-incarnation of the infamous Emotet,” asserts (opens in new tab) GData.
Back from the dead?
The Emotet malware had evolved into the go-to solution for cybercriminals who used its infrastructure to gain access to targeted systems on a global scale. Its operators then sold this access to other cybercrime groups for deploying ransomware (opens in new tab) including Ryuk, Conti, ProLock, Egregor, and several others.
Reporting on the development, BleepingComputer (opens in new tab) notes that in an apparent change of tactics, the threat actors behind Emotet’s revival are now using a method dubbed “Operation Reacharound” to rebuild the Emotet botnet using TrickBot's existing infrastructure.
Emotet research group Cryptolaemus has begun analyzing the new Emotet loader, and has detected changes compared to the past.
"So far we can definitely confirm that the command buffer has changed. There's now 7 commands instead of 3-4. Seems to be various execution options for downloaded binaries (since its not just dlls)," noted Cryptolaemus researchers.
Researchers also added that although they had not seen any signs of the Emotet botnet performing spamming activity or found any malicious documents dropping the malware, it’s only a matter of time.
"It is an early sign of the possible impending Emotet malware activity fueling major ransomware operations globally given the shortage of the commodity loader ecosystem," Advanced Intel's Vitali Kremez told BleepingComputer.
It's time to batten down the hatches with the help of these best firewall apps and services (opens in new tab), and ensure your computers are protected with these best endpoint protection tools (opens in new tab).