Emotet, one of today’s largest and most dangerous malware botnets, has returned to life after a period of inactivity that lasted nearly four months, since the end of May this year.
During that time, the botnet’s command and control (C&C) servers had been shut down, and Emotet stopped sending out commands to infected bots, and new email spam campaigns to infect new victims.
Some security researchers hoped that law enforcement had secretly found a way to shut down the prodigious botnet; however, it was not to be.
New spam campaigns
Emotet started spewing out new spam emails today, Raashid Bhat, a security researcher at SpamHaus, told ZDNet.
According to Bhat, the emails contained malicious file attachments or links to malware-laced downloads. The spam campaign that started spewing today from Emotet’s infrastructure is primarily aimed at Polish and German-speaking users.
Emotet is back spamming after months of inactivity. Currently they’re using stolen emails to reply to existing email threads with malspam (targeting DE).
— MalwareTech (@MalwareTechBlog) September 16, 2019
#emotet has resumed spamming operations this morning. We will provide some updates soon.
— Cofense Labs (@CofenseLabs) September 16, 2019
Users who receive these emails, and download and execute any of the malicious files are exposing themselves to getting infected with the Emotet malware.
Once infected, computers are added to the Emotet botnet. The Emotet malware on infected computers acts as a downloader for other threats.
Emotet is known to deliver modules that can extract passwords from local apps, spread laterally to other computers on the same network, and even steal entire email threads to later re-use in spam campaigns.
In addition, the Emotet gang is also known to run their botnet as a Malware-as-a-Service (MaaS), where other criminal gangs can rent access to Emotet-infected computers and drop their own malware strains alongside Emotet.
Some of Emotet’s most well-known customers are the operators of the Bitpaymer and Ryuk ransomware strains, which have often rented access to Emotet-infected hosts to infect enterprise networks or local governments with their ransomware strains.
Emotet revival was expected
Today’s Emotet revival was not a total surprise for security researchers. The Emotet C&C servers went down at the end of May, but they actually came back to life at the end of August.
Initially, they didn’t start sending out spam right away. For the past few weeks, the C&C servers have been sitting idly, serving binaries for the Emotet “lateral movement” and “credentials stealing” modules, Bhat told ZDNet in an interview today.
Bhat believes the Emotet operators have spent the last few weeks re-establishing communications with previously infected bots that they abandoned at the end of May, and spreading across local networks to maximize the size of their botnet before moving on to their main operation — sending out email spam.
This ramp-up period was predicted by several security researchers last month when the Emotet crew turned on the lights on the C&C servers.
not to mention the distribution wing is a whole botnet of its own that needs to be fired up, fed hacked wordpress inventory, shells deployed, etc.
even tiered infrastructure for the distro wing.
has to be running first.
— JTHL (@JayTHL) August 23, 2019
The fact that Emotet operations went dead for a few months is not really a “new thing.” Malware botnets often go inactive for months for different reasons.
Some botnets go dark to upgrade infrastructure, while other botnets go down just because operators take vacations. For example, the Dridex botnet regularly goes down each year between mid-December and mid-January, for the winter holidays.
At the time of writing, it is unclear why Emotet has shut down over the summer. Nonetheless, the botnet came back in its previous state, continuing to operate using a dual infrastructure model, effectively running on two separate botnets.
TrickBot replaced Emotet as top botnet
But even if Emotet shut down operations for nearly four months, other botnets didn’t take a break. While Emotet had been down, the operators of the TrickBot botnet have taken the title of the most active malware operation on the market.
This chart shows the number of Emotet Vs. TrickBot malware samples since Jan 2019. You can clearly see the disappearance of Emotet 📉 malspam campaigns end of May and the rise of TrickBot 📈 in July that is nowadays used to deploy Ransomware 🔒💰on corporate networks 🏛️ pic.twitter.com/IdPoGxYMbO
— abuse.ch (@abuse_ch) August 13, 2019
Emotet and TrickBot share many similarities. Both were banking trojans that were re-coded to work as malware loaders — malware that downloads other malware.
Both infect victims and then download other modules to steal credentials or move laterally across a network. Furthermore, they both sell access to infected hosts to other malware gangs, such as cryptocurrency mining operations and ransomware operators.
With TrickBot operations in full stride, Emotet coming back to life is bad news for system administrators in charge of protecting enterprise and government networks, both botnets’ favorite targets.
Security researchers and system administrators looking for file hashes, server IP addresses, spam email subject lines, and other indicators of compromise (IOCs) can find this data freely shared on Twitter. Cryptolaemus, a group of security researchers tracking the Emotet botnet, are also expected to publish free threat intel data later today.