The hacking and malware community could easily be compared to a horror film. You may kill what you see before you but there is always a sequel. Such is the case with Emotet, a botnet once described as “the world’s most dangerous malware.”
Back and targeting computers worldwide, Emotet is both a name given to malware and the botnet that distributes it. Emotet was last in the news in 2020 with various campaigns and a U.S. government warning.
It “disappeared,” however, in January following a multicountry law enforcement operation. The European Union Agency for Law Enforcement Cooperation, better known as Europol even celebrated at the time with a tweet. It’s a tweet that in November 2021 hasn’t aged well.
Bye-bye botnets👋 Huge global operation brings down the world’s most dangerous malware.
Investigators have taken control of the Emotet botnet, the most resilient malware in the wild.
— Europol (@Europol) January 27, 2021
In a twist, Emotet is back through the TrickBot botnet. TrickBot is another botnet supposedly taken down that returned from the dead. Microsoft Corp. claimed to have taken down Trickbot in October 2020, but it was back in July this year.
According to security researcher Luca Ebach at German cybersecurity company G Data, TrickBot is being used to install Emotet on targeted systems.
“We observed on several of our Trickbot trackers that the bot tried to download a DLL to the system,” Ebach explained. “According to internal processing, these DLLs have been identified as Emotet. However, since the botnet was taken down earlier this year, we were suspicious about the findings and conducted an initial manual verification. Currently, we have high confidence that the samples indeed seem to be a reincarnation of the infamous Emotet.”
Ebach was not alone. The Internet Storm Center also details the return of Emotet. Of interest, the malware portion of Emotet is being distributed via malicious attachments. These include malicious Excel, Word and ZIP attachments.
“Malware can have many lives, reincarnated as a more dangerous animal that escapes the detection capabilities that initially shut it down,” Stephen Banda, senior manager, security solutions at cloud security company Lookout Inc., told SiliconANGLE. “In the case of Emotet, the malware developers have enhanced its capabilities by adding commands to the original command bummer, using the initial code as a springboard for enhancements.”
The reincarnation of Emotet, he added, could add more fuel to the already red-hot ransomware threat environment. “By leveraging the existing installments of the malware Trickbot, Emotet has great potential to spread rapidly at scale while leveraging a range of Trickbot capabilities including plugin modules, cryptomining and persistence functionality,” he aid.
Stefano De Blasi, cyberthreat intelligence analyst at digital risk protection solutions provider Digital Shadows Ltd., noted that the return of Emotet is not a surprise.
“Its predictable return has come just 10 months after the takedown of its infrastructure, following an internationally coordinated law enforcement operation in January 2021,” De Blasi said. “While these malware variants’ operations are often halted for a while, takedown operations don’t usually have permanent effects. Botnets operators are highly versatile and can often recover from these attacks after a short time.”