Emotet was at times considered to be the most dangerous malware. With the dangerous dynamite phishing, it also penetrated well-secured networks. But at the beginning of the year, several authorities hit the Emotet network: They confiscated the servers and only delivered harmless updates. In April of this year, they finally deleted the Emotet malware from the infected systems. But machines infected with the Trickbot malware have now started installing new Emotet variants.
Who GData reported, on Sunday the Trickbot drones started downloading new DLLs that the automated analysis systems classified as Emotet. In order to clarify what was going on, the virus laboratory carried out manual analyzes and came to the conclusion: looks like Emotet, smells like Emotet and behaves like Emotet – is probably Emotet.
The code and operation of the new version are similar to the well-known Emotet samples, but the bot programmers have made some changes. According to GData, the servers now use https with self-signed certificates to secure communication, unlike the last malware versions from last year, and the encryption for hiding the data has been slightly changed.
Trickbot stirrup holder
The gang behind Emotet has already worked with the Trickbot masterminds in the past. In the past, the Emotet backers sold access to company networks, so that after the initial infection with Emotet, Trickbot often landed on the compromised machines. These then encrypted the victims’ systems with the ransomware Ryuk and demanded hefty ransom sums (the exact procedure is explained by Emotet, Trickbot, Ryuk – an explosive malware cocktail).
The Trickbot gang remained active even after the attack against Emotet. Within a few days you looked for other suppliers for access to company networks and built up a flourishing business with “Ransomware as a Service” based on the Conti blackmail software. They rent out their malware and infrastructure to emerging cybercrime gangs. And now they are apparently helping the buddies from the old days back into the saddle.
Emotet’s specialty was particularly well-crafted phishing emails – so-called dynamite phishing. The selected destinations receive personalized e-mails that seem to come from colleagues or business partners and even quote previous e-mails from the recipient. The aim is to trick the recipient (s) into opening the attached Office file.
In the meantime, the new Emotet drones are already sending malware spam by email again, as the researchers from the Cryptolaemus group do tweet. Accordingly, the bots send specially prepared documents as .docm, xlsm or password-protected ZIPs to potential victims. The botnet experts from abuse.ch recommend therefore all admins to block the Command & Control server on the perimeter firewalls of companies as a precaution. They maintain a list of the IP addresses of known Emotet servers.