Cybersecurity professionals have once again begun to see threat actors getting rid of malware in an attempt to relaunch the infamous Emotet botnet.
In January of this year, law enforcement in Europe and North America joined forces in a coordinated effort to disrupt and remove the Emotet botnet.
However, several vendors and security experts, including Cryptolaemus, GData, and Advanced Intel, have detected activity that points to Emotet's imminent return.
“On Sunday, November 14 at around 9:26pm UTC, we observed in several of our Trickbot crawlers that the bot was attempting to download a DLL onto the system. Based on internal processing, these DLLs have been identified as Emotet… We are currently convinced that the samples appear to be a reincarnation of the infamous Emotet,” says GData.
From the dead?
Emotet malware had become the go-to solution for cybercriminals using its infrastructure to gain access to targeted systems globally. Its operators then sold this access to other cybercrime groups for ransomware deployment, including Ryuk, Conti, ProLock, Egregor, and several others.
Reporting on the development, BleepingComputer notes that in an apparent change of tactics, the threat actors behind the Emotet revival are now using a method dubbed "Operation Scope" to rebuild the Emotet botnet using Emotet's existing infrastructure. TrickBot.
The Emotet Cryptolaemus research group has started to analyze the new Emotet loader and has detected changes from the past.
"So far, we can certainly confirm that the command buffer has changed. There are now 7 commands instead of 3-4. There seem to be multiple execution options for the downloaded binaries (since they are not just dlls)," the researchers at Cryptolaemus. .
The researchers also added that while they haven't seen any signs of spam activity by the Emotet botnet or found any malicious documents that remove the malware, it's only a matter of time.
"This is a harbinger of possible imminent Emotet malware activity fueling major ransomware operations around the world given the scarcity of the Product Loader ecosystem," Intel's Vitali Kremez told BleepingComputer.
It's time to batten down the hatches using these best firewall apps and services, and make sure your computers are protected with these best endpoint protection tools.