The notorious Emotet malware is staging a comeback of sorts nearly 10 months after a coordinated law enforcement operation dismantled its command-and-control infrastructure in late January 2021.
According to a new report from security researcher Luca Ebach, the infamous TrickBot malware is being used as an entry point to distribute what appears to be a new version of Emotet on systems previously infected by the former. The latest variant takes the form of a DLL file, with the first occurrence of the deployment being detected on November 14.
Europol dubbed Emotet as the “world’s most dangerous malware” for its ability to act as a “door opener” for threat actors to obtain unauthorized access, becoming a precursor to many critical data theft and ransomware attacks. Interestingly, the loader operation enabled other malware families such as Trickbot, QakBot, and Ryuk to enter a machine.
The resurfacing is also significant not least because it follows concerted efforts on the part of the law enforcement to automatically uninstall the malware en masse from the compromised computers in April.
As of writing, malware tracking research project Abuse.ch’s Feodo Tracker shows nine Emotet command-and-control servers that are currently online.
Samples of the new Emotet loader can be accessed here. To prevent devices from being co-opted into the newly active Emotet botnet, network administrators are strongly recommended to block all the relevant IP addresses.