BACKGROUND:
Researchers from , GData, Cryptolaemus, and Advanced Intel have reported seeing the TrickBot malware downloading DLLs for Emotet on infected devices. In January of this year, an international effort including eight countries dismantled the Emotet infrastructure and arrested two individuals, but now it’s back and spreading. GData blog Excerpts:
- On Sunday, November 14, at around 9:26pm UTC we observed on several of our Trickbot trackers that the bot tried to download a DLL to the system. According to internal processing, these DLLs have been identified as Emotet. However, since the botnet was taken down earlier this year, we were suspicious about the findings and conducted an initial manual verification. … we have high confidence that the samples indeed seem to be a re-incarnation of the infamous Emotet.
- Sunday, November 14, 9:26pm: … Internal processing detected Emotet when executing the sample in our sandbox systems. Notably, the sample seems to have been compiled just before the deployment via several Trickbot botnets was observed.
- The network traffic originating from the sample closely resembles what has been observed previously (e.g. as described by Kaspersky): the URL contains a random resource path and the bot transfers the request payload in a cookie (see image below). However, the encryption used to hide the data seems different from what has been observed in the past addition.
<p>It seems to be hard to tell your malware without a scorecard these days. Systems infected with Trickbot are incorporating a loader for the Emotet malware on infected devices. Emotet delivers both spam and other malware on those devices.</p>
<p>Emotet is one of the most popular forms of malware in the past, and clearly still has some staying power. While it is readily identifiable, the combination of Trickbot with Emotet is a combination that still has the ability to infect systems that aren’t well protected. Enterprises have to continue to be on the alert for malware that is delivered by known bad actors in order to combat its effects.</p>
<p>This new Emotet malware reveals that its botnet is being rebuilt from scratch, using TrickBot\’s existing infrastructure. Compared with its previous variants, it now contains 3 or 4 more commands that correspond to execution options for downloaded binaries. <u></u><u></u> <u></u><u></u></p>
<p>It\’s not clear if this new version is developed by the same threat actors as before, or if it\’s the work of another gang with access to the source code. Takedowns like these against Emotet, TrickBot, and Ransomware operations are effective, but it\’s very hard to arrest or retire all the involved members. Their remaining threat actors usually rebrand themselves and/or re-use their infrastructures and malware source codes to continue to pursue their objectives. Also, the malware binaries and source codes are still in the wild, so it\’s very common for other cybercrime groups to compile their own version adapted to their purposes. <u></u><u></u> <u></u><u></u></p>
<p>As with any botnet, it can spread very fast in generic e-mail or phishing campaigns, but to infect as many targets as the original Emotet is very hard, so even if the same threat actors are behind it, it\’s going to take time for them to get near the number of targets they had before. Besides, Emotet is a known threat, and most of its techniques and capabilities are already studied. Maintaining a botnet is easier than expanding it, as security solutions evolve and get better at detecting the infections. <u></u><u></u> <u></u><u></u></p>
<p>IT managers and cybersecurity teams need to manage this new Emotet version as any other malware threat, deploying reasonable security measures and training employees against social engineering attacks like e-mails and phishing. <br /> <br />It\’s important to notice that those new capabilities show the actors are focusing on executing other malware along with Emotet. Botnets like Trickbot are often used to spread and move laterally into a network, and even deploy Ransomware. <u></u><u></u> <u></u><u></u></p>
<p>Adopting a ZeroTrust model is important for any organization that wants to be protected against Emotet or any other botnet/ransomware threat. By assuming all connections can be compromised and segmenting your network, you can limit the affected systems and the threat actions to a single perimeter and increase the chance of detecting malicious behaviors inside your network.</p>
<p>It\’s not particularly surprising to see Emotet reappear as efforts to take down attacker groups, platforms, fora, or tools are always going to be something of a game of Whac-a-mole – you take one down and another appears, or in this case, the first one reappears. That doesn\’t mean it isn\’t worth doing though. Law enforcement and security researchers understand this won\’t irradicate cybercrime, but it does make business more expensive and difficult for attackers, which in turn makes this kind of occupation slightly less appealing. Any way we can increase the friction and cost for the attackers is a good thing. Not having the Emotest platform has obviously been disruptive enough for the attackers to decide to invest time and effort into rebuilding it. I call that a win for defenders in an ongoing conflict where too often the odds are stacked against them.</p>
<p>From the information available, it seems that even though they are still in the early stages of rebuilding their network, Emotet is already sending out spam. This seems to indicate that we can expect to see Emotet\’s controllers resuming operations very much as they did before the takedown in January. Since then though, we have seen law enforcement and the private sector work more closely together on other unified actions to deter and disrupt attacker groups. They will be watching this development closely and I suspect they will already be considering potential actions to stop Emotet returning to the supremacy it once enjoyed. </p>
<p>In the meantime, it\’s business as usual for security professionals. The name Emotet may strike fear in their hearts, but the reality is they are under attack every day and all the same measures needed to defend against those attacks are the same for Emotet. Timely patching, effective identity and access management strategies, network segmentation, regular offline backups, email filtering, and user awareness are all core components of a defense-in-depth and business resilience strategy.</p>
<p>Emotet\’s re-emergence is a notable event due to the prevalence of this malware family historically. There are indications that Emotet was initially being deployed by TrickBot and has since started sending out phishing emails as well. The emails seem to contain malicious Word, Excel and Zip files that deploy Emotet on the victim host. </p>
<p>The questions IT teams need to be asking have not changed, but the level of risk due to the frequency of threats may see an uptick as this malware family builds up its operations once again. We live in a world where the threat will remain ever present, this event does not change that, but it does highlight the need for continued vigilance and investment in building resilience to cyber threats for all organizations.</p>
<p>Device attacks are the most common way into an enterprise. By compromising an end user’s device, mobile or desktop, it provides a means for the hackers to inject payloads that can continue the cyber key chain. From there the hackers can enumerate the environment, escalate their privileges and conduct lateral movement across the enterprise in their effort the find and exploit valuable enterprise resources.</p>
<p>To combat these efforts – enterprises must, of course, deploy all latest patches on these systems exposed to the attackers. But given the quantify of zero-day attacks, enterprises must assume the attackers will pass the exterior and begin their attacks past the \"front gates\". This is where zero trust comes in. Enterprises must ensure that each node of the enterprise is evaluating the identity and trust of the requesting resource. Identities must be evaluated for privilege and changes in privileges to ensure security of the enterprise.</p>