TrickBot malware is now used as an entry point for distributing a new version of Emotet malware on the systems TrickBot previously owned.
This new variant emerges from a DLL file, and the first deployment was detected on Nov 14. Today, Advanced Intel, GData, and Cryptolaemus researchers have announced that they have discovered TrickBot malware dropping Emotet loader on infected devices.
Previously, Emotet malware was distributed through malicious documents/attachments and installed QakBot/QBot and Trickbot malware after infecting the devices, offering access to attackers to deploy ransomware like:
How Emotet was Tracked
Earlier in 2021, a coordinated operation spearheaded by Europol and Eurojust took down the Emotet infrastructure and detained two individuals. After that action, the malware operators went underground.
On the other hand, German law enforcement delivered an Emotet module to uninstall the malware from infected devices on Apr 25, 2021, as part of “Operation Ladybird.”
Emotet Resurfaces with a New Technique
Cryptolaemus researcher and Emotet expert Joseph Roosen explained that they didn’t see Emotet botnet performing spam campaigns as it used to do before going underground.
SEE: Hacker disrupts Emotet botnet operation by replacing payload with GIFs
Moreover, they didn’t find any malicious documents dropping the malware. Instead, this time the malware operators have used another method, and it is called Operation Reacharound.
Through this method, attackers are trying to rebuild Emotet using the existing infrastructure of TrickBot. Researchers believe that the lack of spamming could be because the operators need to rebuild the Emotet infrastructure from scratch.
According to Cryptolaemus, the new Emotet loader includes new capabilities different from its previous variants. They confirmed that the malware’s command buffer is different.
“There’s now 7 commands instead of 3-4. Seems to be various execution options for downloaded binaries (since it’s not just dlls),” Cryptolaemus researchers told Bleeping Computer.
Update tweet from Cryptolaemus addressing Emotet’s reemergence:
Update on #Emotet. We are noticing now that bots are starting to spam on what we are calling the Epoch 4 botnet. There is only attachment based malspam seen so far with .docm or .xlsm(really XLSM with a lame AF Template “Excell”) or password protected ZIPs(operation ZipLock). 1/x
— Cryptolaemus (@Cryptolaemus1) November 16, 2021
Emotet Resurgence May Cause a Spike in Ransomware Infections
Emotet’s rebirth hints at the likelihood of an increase in ransomware infections. It also indicates that threat actors might aim at increasing ransomware operations across the globe given the shortage of the commodity loader ecosystem.”
Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.