Emotet infrastructure has almost doubled since resurgence was confirmed

3D illustration of the emotet botnet triggering an alert on a smartphone positioned next to a laptop
(Image credit: Shutterstock)

UPDATE: In the 24 hours after Emotet's reemergence was first confirmed, researchers have discovered that the infrastructure supporting the spread has almost doubled.

The operators of the latest version of Emotet have increased the active command and control infrastructure (C2) from eight on Monday to 14 by the end of Tuesday, according to the team at the abuse.ch research project at the Bern University of Applied Sciences.

C2s facilitate communication between the infected host and the botnet's operators, allowing them to launch attacks such as data exfiltration, distributed denial of service (DDoS), and system shutdowns and reboots.

Businesses are advised to block all of Emotet's C2s to prevent any further infection. Cryptolaemus is updating pages on online services such as URLHaus and MalwareBazaar with known C2 server addresses for those wanting to keep on top of the spread.

Some researchers said they have been analysing the resurgent Emotet's code and confirmed it has been upgraded, along with its infrastructure, leading to a "better secured", more resilient operation.

They also added that it's highly likely that the current Emotet operator, or operators, have access to the source code from the original botnet previously taken down by law enforcement.

Others, such as Trend Micro Research, are conducting further analysis to confirm these suspicions.

Elsewhere, the Cryptolaemus group have observed a new development in its delivery. The research team published an example of how URL-based lures are also now being used in addition to Emotet's traditional .zip and .docm attachment delivery methods.

Japanese cyber security firm JPCERT/CC has also released an early build of a tool that can help businesses detect the newly returned version of Emotet in infected Windows hosts.

16/11/2021: Emotet botnet returns and is 'spreading quickly' following year-long absence

The notorious malware strain Emotet is back in the wild and infecting systems, multiple security research teams have confirmed.

Security expert Luca Ebach of G Data first observed TrickBot trackers picking up suspicious activity on Sunday as bots attempted to download dynamic link library (DLL) files onto their system which contained Emotet code.

Since publishing his research on Monday, experts across the industry have corroborated the findings.

White hat hacking group Cryptolaemus published a deeper analysis on Monday evening, also confirming Emotet was back after being disrupted by international law enforcement earlier this year.

The group observed that malicious payloads are being downloaded from just seven URLs and spread via email. At this time, only attachment-based malspam has been observed (.docm and .xlsm files).

Attachments closely resemble the file templates of Emotet's previous 'Red Dawn' campaign, encouraging victims to click malicious links from inside the infected document.

Cryptolaemus believes the email addresses used to distribute Emotet are stolen and are hijacking email reply chains from a recently as October, a similar attack vector used by Emotet previously and more recently by Qakbot operators hijacking Microsoft Exchange servers.

There are slight changes to the Emotet payload code too, Ebach noted. While network traffic closely resembles that which has been observed previously, the encryption used to hide the data appears to have evolved.

Emotet samples seem to be using a method called control-flow flattening to obfuscate the code. Instead of being able to view the flow of the programme easily - like in a flow chart - all stages are placed beside each other and a switch statement controls the flow of the program, making it more difficult to see how every stage works in unison.

The malware is also now using HTTPS with a self-signed server certificate to secure its network traffic, Ebach said.

The distribution has been described as a total reverse of that seen in its original campaign. Instead of Emotet installing TrickBot, a banking trojan, the Emotet botnet is being rebuilt using TrickBot's infrastructure.

"It appears that Emotet is now delivered in systems already compromised by TrickBot, " said Nikos Mantas, incident response expert at Obrela Security Industries to IT Pro. "This change in the delivery of the payload displays a new mindset by the attackers themselves. Instead of sending malicious emails and risking triggering any defence mechanisms, Emotet now is opting for stealthier delivery inside already infected systems. If Trickbot has gone unnoticed, then Emotet should be as well.

"Although the findings are still in early report stages, hence attribution remains to be seen, it is a good time for security managers to verify if the takeaways derived from previous incidents are communicated and which corrective measures have been applied to strengthen the security posture of their organisations," he added.

Earlier in 2021, Europol coordinated an international effort to disrupt Emotet infrastructure and German law enforcement later used that infrastructure to uninstall Emotet from infected devices.

Experts have already suggested similar disruption operations should be restarted given Emotet's links to Qakbot, TrickBot, and Bazarloader - all of which have ties with ransomware.


The best defence against ransomware

How ransomware is evolving and how to defend against it


Researchers from cyber security outfits Cofense, Malwarebytes, Proofpoint, and others have all confirmed that they too have observed Emotet spreading.

"We recently became aware of what appears to be the return of Emotet," said Jason Meurer, senior research engineer at Cofense. The TrickBot malware family began delivering a dll that is suspiciously similar to the old Emotet payloads. While information is still being developed around this, the shared distribution between TrickBot and Emotet from past endeavours points to this likely being a legitimate return.

"As we’ve seen in the past, Emotet likes to do things in phases when it comes back and this appears to be the ‘staging’ phase of their operation," he added. "While we cannot say if or when we expect for them to begin sending malicious emails again, it would be a good bet that it could be within the next few weeks. This timing correlations with the holiday season and campaigns that we’ve witnessed in the past."

Since the original findings were published Monday evening, Cryptolaemus researchers said in the early hours of Tuesday morning that Emotet is "spreading fast" without a TrickBot intermediary.

Although the original Emotet campaign was thought to have been taken down earlier this year as part of Europol's Operation Lady Bird, doubts remained over whether the malware would eventually make a return.

Speaking at the time, Europol encouraged anyone concerned about being infected with the malware to keep cyber security tools updated and to adopt heightened vigilance when interacting with emails and attachments.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.