Researchers from Cryptolaemus, GData, and Advanced Intel have started to notice the TrickBot malware dropping a loader for Emotet on infected devices.
- The Emotet banking trojan has been active at least since 2014; a threat actor operates the botnet tracked as TA542.
- The threat actors are now using a method dubbed "Operation Reacharound" to rebuild the Emotet botnet using TrickBot's existing infrastructure.
- Network administrators are recommended to IP addresses associated with this campaign to prevent infections with the reformed Emotet bot.
Researchers from Cryptolaemus, GData, and Advanced Intel have started to notice the TrickBot malware dropping a loader for Emotet on infected devices.
At the beginning of the year, an international law enforcement action took over the Emotet infrastructure and arrested two individuals.
This operation resulted from a joint effort between authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust.
Emotet was once described as the “world’s most dangerous malware.” Emotet worked by sending massive waves of email spam to users worldwide to infect them with its malware strain.
Once infected, these systems would enable the Emotet gang to download and install additional payloads. Over the past three to four years, Emotet has operated as a Malware-as-a-Service infrastructure for various cybercrime groups, such as ransomware gangs and Point-of-Sale malware operators.
This ended in January when the Emotet gang lost access to the servers controlling its vast network of infected devices.
Now researchers from multiple cybersecurity firms ([Cryptolaemus], [GData], and [Advanced Intel]) reported that malware botnet named TrickBot was helping the Emotet gang get back on its feet by installing the Emotet malware on systems that had been previously infected with TrickBot.
“On Sunday, November 14, at around 9:26 pm UTC, we observed on several of our Trickbot trackers that the bot tried to download a DLL to the system. According to internal processing, these DLLs have been identified as Emotet,” reported GData.
Malware tracking non-profit organization Abuse.ch shared a list of C2 servers utilized by the new Emotet botnet.
A screenshot shared with The Record by Abuse.ch, a member of the Cryptolaemus group, shows the gap in Emotet’s dormant period between January and November 2021, while the group rolled out new command and control servers.
“If Emotet is truly coming back ‘online’, and it appears that it is, they will likely bring with them a bag of new tricks ready to throw at us.” warn Cofense Labs.
“We urge you to *BLOCK* these command and control servers and regularly update your block list to receive the maximum protection,” wrote Abuse.ch
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?