The Emotet botnet returns from the dead

Emotet is returning. This well-known malware was the origin of a botnet, considered one of the most important in recent years.

Earlier this year, its control servers were seized by a police operation and machines infected with the malware were remotely disinfected by authorities.

Two arrests were announced as part of this investigation, but it appears that this was not enough to permanently rid the internet of this malware.

Come back with a bang

Several companies and cybersecurity researchers have identified a new version of the Emotet malware, which has been active since this weekend. According to Cryptolaemus, a group of security researchers who specialize in tracking Emotet, this new version of the malware first spread to machines previously infected with another malware quite similar to Emotet, Trickbot.

G-Data was one of the first to identify the new malware. The latter has many similarities with previous versions of Emotet, but also improvements and differences: the traffic between the malware and its control server is now protected by encryption using the HTTPS protocol, and malware analysis. Binary shows that the malware benefits from new commands intended for its operator.

Shortly after this initial discovery, Proofpoint and Cryptolaemus researchers also reported the identification of spoofed email campaigns intended to infect users with Emotet. It was one of the most widely used propagation techniques by Emotet operators before its decommissioning. Malicious emails usually contain a document or attachment, which asks the user to enable macros to download the malicious Emotet code.

Once the machine is infected, it contacts the botnet’s control server and is used to spread more spam to new users. Emotet is particularly known for using the “thread hijacking” technique, which involves exploiting compromised email accounts to send an email in response to a previous conversation. A technique that makes the email more credible and tricks the victim into opening the malicious attachment. According to the researchers, the new version of Emotet also uses this technique.

Everything has to be done again

The new version of the malware also uses new command and control servers, the previous ones have been seized by law enforcement. A list of the monitoring servers identified by the researchers is maintained on the Feodo Tracker site and shows the resumption of botnet activity as of November 15.

The goal of botnet operators today is to rebuild their network of infected computers. The police operation at the beginning of the year effectively allowed the disinfection of devices compromised by malware. Before the police intervened, Emotet was one of the most important botnets on the network: according to the FBI, more than 1.6 million computers were infected with this malware. Until now, no one has given a figure on the number of machines infected with this new variant of Emotet.

Emotet was analyzed by Anssi in a report published in early 2020. This malware is originally a banking malware, whose aim was to steal the banking information present on the infected machines. However, it quickly evolved, in 2017, to become a “loader” – that is, malware used to distribute other malicious software. Its business model was aimed at charging other groups of cybercriminals who wanted to access Emotet-infected machines, in order to install ransomware, for example.

Woodmart Theme Nulled, WP Reset Pro, Newspaper 11.2, Newspaper – News & WooCommerce WordPress Theme, Premium Addons for Elementor, Rank Math Seo Pro Weadown, WeaPlay, WordPress Theme, Plugins, PHP Script, Jannah Nulled, Elementor Pro Weadown, Woocommerce Custom Product Ad, Business Consulting Nulled, Jnews 8.1.0 Nulled, Avada 7.4 Nulled, Nulledfire, Dokan Pro Nulled, Yoast Nulled, Flatsome Nulled, PW WooCommerce Gift Cards Pro Nulled, Astra Pro Nulled, Woodmart Theme Nulled, Slider Revolution Nulled, Wordfence Premium Nulled, Elementor Pro Weadown, Wpml Nulled, Consulting 6.1.4 Nulled, Fs Poster Plugin Nulled

Back to top button