Emotet Returns After Law Enforcement Disruption


The Emotet malware is back, nearly ten months after law enforcement disrupted its infrastructure in an international coordinated operation.

On Sunday, researchers observed the Trickbot banking trojan downloading and executing updated Emotet binaries. Luca Ebach, researcher with German security company G Data, first observed DLLs identified as Emotet on his research team’s Trickbot trackers. After a manual verification, Ebach said researchers “have high confidence that the samples indeed seem to be a reincarnation of the infamous Emotet.”

Since then, infections have jumped, said George Glass, head of threat intelligence with Redscan, who noted that his team is currently tracking nine Emotet command-and-control (C2) servers that are now active. As part of this newly commenced Emotet spamming activity, Glass said the botnet has been stealing emails to use in reply-chain attacks, where attackers use a compromised email thread to send malicious emails.

“There have been dozens of new infections in the last 24 hours alone,” said Glass. “If the botnet can resume a large number of spam campaigns and reply-chain attacks it will certainly infect more organizations and individuals. Emotet is an ideal initial access vector for ransomware groups.”

Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, said the return of Emotet has been observed in email messages to government, non-profit and commercial organizations predominantly in the United States and Canada. The top five verticals impacted by these messages have included financial services, insurance, transportation, technology and manufacturing. Based on some of the infrastructure Proofpoint researchers observed in campaigns, the actors are leveraging bulletproof hosting providers to rescale operations, said DeGrippo.

These do not appear to be tests,” said DeGrippo. “They are active campaigns.

The new samples of Emotet have been slightly updated. Emotet’s communication protocol now uses the elliptic curve cryptography (ECC) for encryption of APIs, while older versions relied on RSA. Attackers are also now integrating XLS and XLM files as part of their initial delivery method, researchers said. If a victim downloads these files and enables macros, Emotet will be installed.

We continue to see thread hijacking, similar attachment names, and the use of Word documents and password protected ZIP files in delivery as previously observed,” said DeGrippo. “A number of the files’ names look legitimate. The payload URLs are still distributed in sets of seven, along with the same Botnet ID generation to name a few.



Source link