TagsBotnet, Cyber Crime, Emotet, Malware, Ransomware, TrickBot
Super secure VPN
Minimal data logging
As per a report from security researcher Luca Ebach, the notorious TrickBot malware is now used as an entry point for distributing a new version of Emotet malware on the systems TrickBot previously owned.
This new variant emerges from a DLL file, and the first deployment was detected on Nov 14. Today, Advanced Intel, GData, and Cryptolaemus researchers have announced that they have discovered TrickBot malware dropping Emotet loader on infected devices.
Previously, Emotet malware was distributed through malicious documents/attachments and installed QakBot/QBot and Trickbot malware after infecting the devices, offering access to attackers to deploy ransomware like:
Earlier in 2021, a coordinated operation spearheaded by Europol and Eurojust took down the Emotet infrastructure and detained two individuals. After that action, the malware operators went underground.
On the other hand, German law enforcement delivered an Emotet module to uninstall the malware from infected devices on Apr 25, 2021, as part of “Operation Ladybird.”
Cryptolaemus researcher and Emotet expert Joseph Roosen explained that they didn’t see Emotet botnet performing spam campaigns as it used to do before going underground.
SEE: Hacker disrupts Emotet botnet operation by replacing payload with GIFs
Moreover, they didn’t find any malicious documents dropping the malware. Instead, this time the malware operators have used another method, and it is called Operation Reacharound.
Through this method, attackers are trying to rebuild Emotet using the existing infrastructure of TrickBot. Researchers believe that the lack of spamming could be because the operators need to rebuild the Emotet infrastructure from scratch.
According to Cryptolaemus, the new Emotet loader includes new capabilities different from its previous variants. They confirmed that the malware’s command buffer is different.
“There’s now 7 commands instead of 3-4. Seems to be various execution options for downloaded binaries (since it’s not just dlls),” Cryptolaemus researchers told Bleeping Computer.
Update tweet from Cryptolaemus addressing Emotet’s reemergence:
Update on #Emotet. We are noticing now that bots are starting to spam on what we are calling the Epoch 4 botnet. There is only attachment based malspam seen so far with .docm or .xlsm(really XLSM with a lame AF Template "Excell") or password protected ZIPs(operation ZipLock). 1/x
— Cryptolaemus (@Cryptolaemus1) November 16, 2021
Emotet’s rebirth hints at the likelihood of an increase in ransomware infections. It also indicates that threat actors might aim at increasing ransomware operations across the globe given the shortage of the commodity loader ecosystem.”
Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.
Get the best stories straight into your inbox!
Don’t worry, we don’t spam
App Store Google News
HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.
Hackread.com is among the registered trademarks of Gray Dot Media Group Ltd. Company registration number 12903776 in regulation with the United Kingdom Companies House. The registered address is 85 Great Portland Street, London, England, W1W 7LT
The display of third-party trademarks and trade names on the site do not necessarily indicate any affiliation or endorsement of Hackread.com. If you click an affiliate link and buy a product or service, we may be paid a fee by that merchant.