Researchers from , GData, Cryptolaemus, and Advanced Intel have reported seeing the TrickBot malware downloading DLLs for Emotet on infected devices. In January of this year, an international effort including eight countries dismantled the Emotet infrastructure and arrested two individuals, but now it’s back and spreading. GData blog Excerpts:
- On Sunday, November 14, at around 9:26pm UTC we observed on several of our Trickbot trackers that the bot tried to download a DLL to the system. According to internal processing, these DLLs have been identified as Emotet. However, since the botnet was taken down earlier this year, we were suspicious about the findings and conducted an initial manual verification. … we have high confidence that the samples indeed seem to be a re-incarnation of the infamous Emotet.
- Sunday, November 14, 9:26pm: … Internal processing detected Emotet when executing the sample in our sandbox systems. Notably, the sample seems to have been compiled just before the deployment via several Trickbot botnets was observed.
- The network traffic originating from the sample closely resembles what has been observed previously (e.g. as described by Kaspersky): the URL contains a random resource path and the bot transfers the request payload in a cookie (see image below). However, the encryption used to hide the data seems different from what has been observed in the past addition.