The Emotet malware was considered the most widely spread malware in the past, and the malware is distributed using spam campaigns and malicious attachments.
Emotet would use infected devices to perform other spam campaigns and install other payloads, such as the QakBot (Qbot) and Trickbot malware. These payloads would then be used to provide initial access to hackers to deploy ransomware, including Ryuk, Conti, ProLock, Egregor, and many others.
At the beginning of this year, due to an international law enforcement action coordinated by Europol and Eurojust, the Emotet infrastructure was taken down and two individuals were arrested.
German law enforcement used the infrastructure to deliver an Emotet module that uninstalled the malware from infected devices on April 25th, 2021.
Now, Emotet research group Cryptolaemus, GData, and Advanced Intel have started to find the TrickBot malware dropping a loader for Emotet on infected devices.
Earlier Emotet installed TrickBot, but now the attackers are using a method that the Cryptolaemus group calls “Operation Reacharound,” which rebuilds the botnet using TrickBot’s existing infrastructure.
According to Joseph Roosen, Emotet expert and Cryptolaemus researcher, they had not seen any signs of the Emotet botnet performing spamming activity or found any malicious documents dropping the malware.
This lack of spamming activity is likely due to the rebuilding of the Emotet infrastructure from scratch and new reply-chain emails being stolen from victims in future spam campaigns.
Cryptolaemus has started analyzing the new Emotet loader and stated that it includes new changes compared to the previous variants.
The researchers confirmed that the command buffer has changed which has 7 commands instead of 3-4.
Advanced Intel’s Vitali Kremez warns that the rebirth of the malware botnet would likely lead to a surge in ransomware infections.
The emergence of Emotet indicates that the takedown did not prevent the adversaries from obtaining the malware builder and setting up the backend system bringing it back to life.
Malware tracking non-profit organization Abuse.ch has released a list of command and control servers utilized by the new Emotet botnet and strongly recommends network admins to block the associated IP addresses.
It is surprising to note that the new Emotet infrastructure is growing rapidly, with more than 246 infected devices already acting as command and control servers.
All network administrators are highly recommended to block all associated IP addresses to prevent their devices from being recruited into the newly reformed Emotet botnet.