Skip to main content

Emotet malware is back, and potentially nastier than ever

Botnet
(Image credit: Shutterstock / BeeBright)

Cybersecurity professionals have once again begun to see threat actors drop malware in a bid to revive the infamous Emotet botnet.

In January this year, law enforcement agencies in Europe and North America joined forces as part of a coordinated effort to disrupt and take down the Emotet botnet.

However, multiple security vendors and experts, including Cryptolaemus, GData, and Advanced Intel have detected activity that points to Emotet’s imminent return.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

“On Sunday, November 14, at around 9:26pm UTC we observed on several of our Trickbot trackers that the bot tried to download a DLL to the system. According to internal processing, these DLLs have been identified as Emotet….Currently, we have high confidence that the samples indeed seem to be a re-incarnation of the infamous Emotet,” asserts GData.

Back from the dead?

The Emotet malware had evolved into the go-to solution for cybercriminals who used its infrastructure to gain access to targeted systems on a global scale. Its operators then sold this access to other cybercrime groups for deploying ransomware including Ryuk, Conti, ProLock, Egregor, and several others.

Reporting on the development, BleepingComputer notes that in an apparent change of tactics, the threat actors behind Emotet’s revival are now using a method dubbed “Operation Reacharound” to rebuild the Emotet botnet using TrickBot's existing infrastructure.

Emotet research group Cryptolaemus has begun analyzing the new Emotet loader, and has detected changes compared to the past. 

"So far we can definitely confirm that the command buffer has changed. There's now 7 commands instead of 3-4. Seems to be various execution options for downloaded binaries (since its not just dlls)," noted Cryptolaemus researchers.

Researchers also added that although they had not seen any signs of the Emotet botnet performing spamming activity or found any malicious documents dropping the malware, it’s only a matter of time.

"It is an early sign of the possible impending Emotet malware activity fueling major ransomware operations globally given the shortage of the commodity loader ecosystem," Advanced Intel's Vitali Kremez told BleepingComputer.

It's time to batten down the hatches with the help of these best firewall apps and services, and ensure your computers are protected with these best endpoint protection tools.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.