Once described as “the world’s most dangerous malware,” Emotet has allegedly returned and is being installed on Windows systems infected with TrickBot malware. 


First, some background. Emotet was one of the most professional and long-lasting cybercrime services. Discovered as a Trojan in 2014, the malware evolved into the go-to solution for cybercriminals over the years. According to Europol, the Emotet infrastructure acted as a primary door opener for computer systems on a global scale. Once access was established, these were sold to other top-level criminal groups to deploy further illicit activities such as data theft and extortion through ransomware.


What made it so dangerous, Europol says, was that the malware was offered for hire to other cybercriminals to install different types of malware, such as banking Trojans or ransomware, onto a victim’s computer.  This type of attack is called a ‘loader’ operation, and Emotet is said to be one of the most prominent players in the cybercrime world as other malware operators like TrickBot and Ryuk have benefited from it.  Its unique way of infecting networks by spreading the threat laterally after gaining access to just a few devices in the network made it one of the most resilient malware in the wild. 


Europol severely disrupted Emotet earlier this year by gaining control of its infrastructure and taking it down from the inside. Infected machines of victims were redirected towards law enforcement-controlled infrastructure to effectively disrupt the threat actors’ activities. 


Now, researchers have recently observed the TrickBot trojan launching what appears to be a new loader for the notorious malware onto Windows machines. 


“We observed on several of our Trickbot trackers that the bot tried to download a DLL to the system. According to internal processing, these DLLs have been identified as Emotet. However, since the botnet was taken down earlier this year, we were suspicious about the findings and conducted an initial manual verification,” Luca Ebach, a security researcher at G Data, wrote in a blog post


Other cybersecurity researchers from Crypolaemus and AdvInterl also confirmed that Emotet seems to have returned.


According to security researcher Brad Duncan, the Emotet botnet had begun spamming multiple email campaigns, using replay-chain emails, to trick recipients into opening the malicious files and infecting the devices with the malware. 


Stefano De Blasi, Cyber Threat Intelligence Analyst at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, explains, “According to security researchers examining the malware’s return, Emotet is likely rebuilding part of its infrastructure with the help of TrickBot existing one. As part of these resource development efforts, the Emotet operators are likely stealing email chains to use them in further malicious activities. As we detailed in our latest blog on Fight the Pish!, cybercriminals are increasingly using email hijacking techniques during their social engineering campaigns. Once in control of a victim’s email account, threat actors can monitor conversations and identify the ideal opportunity to insert a malicious email into an existing thread. As Kim said, “While this is arguably more labor-intensive for a threat actor, it yields higher rewards too.”


De Blasi adds, “The new variant of the infamous malware reportedly follows a similar path of delivering both malicious Office or ZIP files, in addition to other command-and-control (C2) payloads. These are reportedly being distributed via the Trickbot botnet, once again highlighting the close connection between the two malware families. With this return, Emotet will likely be adopted back into the playbook of several prominent cybercriminals, which will almost certainly include ransomware groups. The removal of Emotet left a vacuum filled by some alternate malware, including Dridex, Qakbot, and IcedID. Many cybercriminal groups may return to Emotet as a tried and tested approach, although these changes will likely be reflected over several months. It will certainly take some time to rebuild Emotet’s infrastructure; however, its massive reputation in the cybercriminal community makes it a predictable choice for many threat actors looking to expand their operations.”


So, what should security teams be looking out for, you may ask. De Blasi says, “The threat posed by Emotet is significant; however, its return shouldn’t signal a dramatic shift for blue teams. Security teams should follow basic cyber security hygiene practices to ensure an adequate level of protection much in the same way as other malware variants. Email gateways to stop malicious emails from arriving, user awareness of phishing campaigns, and applying restrictions on the use of macros within Office files will assist in lowering the risk posed by most forms of malware. Additionally, monitoring for impersonating domains, enabling multi-factor authentication, and ensuring a smooth phishing reporting process are crucial steps in defending against Emotet.”