Dubbed the “world’s most dangerous malware”, the Emotet botnet has apparently been reborn.
Emotet is one of the most prolific and disruptive botnet malware-delivery systems known.
It now appears to be making a comeback after nearly a year of inactivity.
A team of researchers from Cryptolaemus, G DATA and AdvIntel recently observed the trojan launching a new “loader” for the notorious malware.
Emotet was largely dismantled earlier this year by an international law-enforcement effort. This has been part of a wave of international activity that we have covered extensively. The international effort has seen arrests in the ransomware space and seemingly disrupted cyber threat actors’ collective actions.
But after a circumspect analysis, researchers are now confident that “the samples (analysed) indeed seem to be a re-incarnation of the infamous Emotet”.
The history of the Emotet trojan
Emotet started life as a banking trojan in 2014 and has continually evolved to become a full-service threat-delivery mechanism.
It can install a collection of malware on victims’ machines, including information stealers, email harvesters, self-propagation mechanisms and ransomware.
Ransomware is currently the cyber threat most worrying international law enforcement.
Emotet was last seen in volume hitting 100,000 target mailboxes a day to deliver TrickBot, Qakbot and Zloader in December 2020 ahead of the Christmas holidays.
Emotet appeared to be put out of commission by an international law-enforcement collaborative takedown of a network of hundreds of botnet servers supporting the system in January 2021.
The effort eliminated active infections on more than 1 million endpoints worldwide.
Now it appears to have resurfaced using familiar partner-in-crime TrickBot, with the two having a history of working together.
In the past, Emotet used its vast network to deliver TrickBot as a payload in targeted email phishing campaigns, though TrickBot also in the past has delivered Emotet samples, which appears to be the case once more.
Why Emotet’s re-emergence may mean a phishing onslaught lies ahead
The recent news has security professionals concerned the world over.
While unsurprised by Emotet’s resurfacing, there seems to be a consensus that the disruption it can wreak is significant.
“Emotet was once the ‘world’s most dangerous malware,’” noted James Shank, senior security evangelist and chief architect of community service at security firm Team Cymru.
But as the botnet will need some time to gain “full strength”, organisations still have some breathing room to shore up defenses.
How organisations can prepare for “the world’s most dangerous” malware
Organisations can already get ahead of the threat by focusing on training their workforces about the dangers of email threats as well as shoring up network monitoring.
We’ve previously written useful guides that we’d recommend sharing with staff, colleagues and networks, including our guide Trojans, Malware and Phishing Scams – How To Protect Yourself.
What we wrote then (before Emotet disappeared) seems to have eery tones:
Emotet is persistent. It injects its code into running services and alters registry entries ensuring that it cannot be removed, even by antivirus software.
It can also spread throughout an entire corporate network by brute-forcing credentials, and Trickbot can spread further by taking advantage of the EternalBlue vulnerability that is present on Windows machines.
Once Emotet and Trickbot have taken over a corporate network, this serves as the initial attack vector for the Ryuk ransomware to take over every connected machine and hold data for ransom. These kinds of attacks are sophisticated campaigns that utilise several kinds of malware, potentially costing an organisation millions of dollars.