TrickBot malware is now used as an entry point for distributing a new version of Emotet malware on the systems TrickBot previously owned.

This new variant emerges from a DLL file, and the first deployment was detected on Nov 14. Today, Advanced Intel, GData, and Cryptolaemus researchers have announced that they have discovered TrickBot malware dropping Emotet loader on infected devices.

Previously, Emotet malware was distributed through malicious documents/attachments and installed QakBot/QBot and Trickbot malware after infecting the devices, offering access to attackers to deploy ransomware like:

1. Conti

2. Ryuk

3. Egregor

4. ProLock

How Emotet was Tracked

Earlier in 2021, a coordinated operation spearheaded by Europol and Eurojust took down the Emotet infrastructure and detained two individuals. After that action, the malware operators went underground.

On the other hand, German law enforcement delivered an Emotet module to uninstall the malware from infected devices on Apr 25, 2021, as part of “Operation Ladybird.”

Emotet Resurfaces with a New Technique

Cryptolaemus researcher and Emotet expert Joseph Roosen explained that they didn’t see Emotet botnet performing spam campaigns as it used to do before going underground.

SEE: Hacker disrupts Emotet botnet operation by replacing payload with GIFs

Moreover, they didn’t find any malicious documents dropping the malware. Instead, this time the malware operators have used another method, and it is called Operation Reacharound.

Through this method, attackers are trying to rebuild Emotet using the existing infrastructure of TrickBot. Researchers believe that the lack of spamming could be because the operators need to rebuild the Emotet infrastructure from scratch.

Emotet malware reemerges, building botnet via Trickbot malware

Emotet malware reemerges, building botnet via Trickbot malware

According to Cryptolaemus, the new Emotet loader includes new capabilities different from its previous variants. They confirmed that the malware’s command buffer is different.

“There’s now 7 commands instead of 3-4. Seems to be various execution options for downloaded binaries (since it’s not just dlls),” Cryptolaemus researchers told Bleeping Computer.

Update tweet from Cryptolaemus addressing Emotet’s reemergence:

Emotet Resurgence May Cause a Spike in Ransomware Infections

Emotet’s rebirth hints at the likelihood of an increase in ransomware infections. It also indicates that threat actors might aim at increasing ransomware operations across the globe given the shortage of the commodity loader ecosystem.”

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

Posted by Charlie