One of the world’s most feared malware operations is back in full force, less than a year after being shut down in a global law enforcement bust.
Emotet was considered the “most dangerous piece of malware” before the January takedown saw its infrastructure seized, two of its operators arrested, and an uninstall update pushed out to infected devices, cleaning up more than one million computers.
It earned this notorious title by offering a highly valuable service to other malware operators, most notably the Conti ransomware and Trickbot banking trojan: we’ll gain initial access into a sought-after victim network, and leave the door open for you to waltz in and launch your attack.
“Emotet’s strategic, operational, and tactical agility was executed through a modular system enabling them to tailor payload functionality and specialisation for the needs of specific customers,” security firm AdvIntel says.
But the law enforcement takedown left a significant void in the market, and Emotet’s partners without a high-quality method of gaining access to their desired victims.
This prompted the group’s loyal customers – specifically the Conti ransomware gang – to push for an Emotet return to operations.
“This partnership enables the Conti syndicate to answer the unfulfilled demand for initial accesses on an industrial scale, while competitor groups such as LockBit or Hive will need to rely on individual low-quality access brokers. As a result, Conti can further advance their goal of becoming a ransomware monopolist,” AdvIntel said.
Researchers first spotted new Emotet activity on November 14, indicating the fearsome Emotet-Trickbot-Conti triad was making a triumphant return.
Emotet appeared to be back up to its old tricks, sending out spam emails with malicious attachments that, when opened, downloaded malware that infected the victim’s device.
The spam emails are currently presented as replies to previous legitimate emails, aiming to lure the recipient into opening the Word, Excel, or password-protected ZIP file. The pretense can be anything from a missing wallet, a sale event, or a cancelled meeting, among many other scenarios.
The malicious attachment restricts the recipient from previewing the file, urging them instead to ‘enable editing [or] content’.
Once these buttons are clicked, the Emotet malware silently downloads to the device, biding its time until it starts looking for email to steal, other devices to spread to, or – most famously – prepares to drop other malware like Conti or Trickbot.
A concerning new development has seen Emotet drop Cobalt Strike: a highly effective penetration testing tool that has been commandeered by hackers to essentially do their job for them.
Among other things, Cobalt Strike makes gaining access to critical parts of the network much easier for criminals. It is commonly used in ransomware attacks.
“Emotet itself gathers a limited amount of information about an infected machine, but Cobalt Strike can be used to evaluate a broader network or domain, potentially looking for suitable victims for further infection such as ransomware,” security firm Cofense said.
“This is a big deal. Typically Emotet dropped TrickBot or QakBot, which in turn dropped Cobalt Strike. You’d usually have about a month between first infection and ransomware. With Emotet dropping CS directly, there’s likely to be a much much shorter delay,” security researcher Marcus Hutchins tweeted.
Researchers believe Emotet’s unmatched capabilities and the market demand will see the group quickly return to a dominant position, causing “the largest threat ecosystem shift” this year.
They expect it will in turn boost the Conti syndicate into becoming one of the most dangerous ransomware threats around.
An Emotet infection is now “no longer just an irritation or commodity malware noise”, according to a group of security researchers dedicated solely to fighting Emotet.
“This should be very high on your threat model now,” the Cryptolaemus group tweeted.
“You need to pay attention to this and you need to prepare.
Stay vigilant!”
