Old malware—even strains that have been taken down by law enforcement—never die. Nor do they just fade away; instead, they disappear for a while, regroup and re-emerge. This is exactly what the self-propagating and modular loader Emotet has done, and the scenario is likely to repeat itself as long as the incentives are there for criminal gangs.
“In early 2021, Emotet was disrupted by Operation Ladybird, a coordinated effort by global law enforcement agencies and their partners to dismantle the botnet,” said Davis McCarthy, principal security researcher at Valtix. “Despite their initial success, Emotet returned at the end of 2021 and continued its legacy of persisting through takedowns.”
Less than a year after the joint effort between law enforcement and multiple governments disrupted the Emotet botnet, a new version of the malware emerged, primarily because “a partnership between Emotet operators and the Trickbot group allowed Trickbot operators to leverage the Emotet infrastructure to distribute Trickbot, a banking trojan,” said researchers at BitSight, who have seen Emotet target more than three million unique email addresses with spam since March 2022 and have identified 339 Tier-1 C2s servers.
“On November 14, 2021, Trickbot command-and-control servers began issuing tasks to their infected machines, instructing them to download a new Emotet version,” the researchers wrote in a blog post. “Emotet began spreading rapidly once again.”
With 300,000 unique email credentials stolen since March, BitSight researchers believe “Emotet is again becoming a significant malware threat.”
That’s not surprising, considering that its popularity has always been primarily because of its functionality. “Emotet is a self-propagating and ‘modular loader’ malware, which means that while it is running on an infected system, botnet operators can send different modules that are capable of executing different jobs,” said Bitsight.
“The Emotet infrastructure essentially acted as a primary door opener for computer systems on a global scale. It was then rented by cybercriminals to install their own malware: Info stealers, ransomware, banking trojans and other types of malware,” the researchers said. “In many respects, Emotet worked like a SaaS solution,” though it is more accurately described as malware-as-a-service (MaaS).
Noting Emotet’s “prolific reputation as a reliable MaaS,” McCarthy said threat actors frequently use the botnet in their campaigns.
Indeed, the MaaS model proved successful, reliable and, above all else, profitable, so why wouldn’t someone try to resurrect it?” said Andrew Hay, COO at LARES Consulting. “Why reinvent the wheel when the old wheel worked perfectly fine?”
McCarthy pointed out that “the impact of an Emotet infection could range from minor credential theft to operational outages caused by ransomware.”
Even though the malware “is most likely still in a growing/testing phase and recovering from the effects of the takedown,” researchers said that “organizations should treat it as a significant adversary to their infrastructures since it can cause lots of damage to them and enable access to other criminals, such as ransomware operators.” In other words, they should be on heightened alert that Emotet is back as a threat and is taking aim at companies worldwide.
Since Emotet is spread primarily through malicious email files or links, companies should reinforce security best practices and take preemptive action to prevent opening suspicious emails.
“Emotet frequently updates its capabilities, like adding password-protected files to its phishing emails to make them appear legitimate,” said McCarthy. “Defense-in-depth, user security training and threat hunting are the best countermeasures for a threat like Emotet.”