Threat Signal Report

Resurrection of Emotet Botnet Observed

description-logo Description

FortiGuard Labs is aware of reports that the Emotet botnet is making a comeback. Researchers @Cryptolaemus, GData and Advanced Intel have discovered the botnet is back in business by way of the TrickBot botnet. Preliminary reports have surfaced that the TrickBot threat actors were observed dropping a DLL file that was identified as Emotet to its botnets over the weekend.

Approximately ten months ago, law enforcement officials at Europol dismantled the Emotet botnets' command and control infrastructure. Additionally, in April of 2021, law enforcement officials in the Netherlands installed software that would clean up computers that were infected with Emotet on a predetermined date, therefore effectively bringing the botnet to a halt.

According to Luca Ebach, a researcher at GData, it appears that the threat actors behind TrickBot are distributing Emotet in what appears to be an attempt to get the botnet back into action again. This relationship is not new; as FortiGuard Labs covered it here in 2020 taking advantage of the pandemic , and back in 2019 in our Emotet Playbook.

What is Emotet in a Nutshell?

Emotet is classified as a Trojan downloader. Originally a banking Trojan and first discovered in 2014, it has evolved into a modular hybrid Trojan downloader. Emotet is usually sent via spearphishing emails, often attaching a specially crafted Microsoft Office document containing malicious macros. These macros then call a command and control server to download the Emotet payload. It has been noted that Emotet has a symbiotic relationship with TrickBot, and has been observed in the past dropping TrickBot to install ransomware as well.

Emotet is capable of spoofing email threads of trusted senders and hijacking conversations to ingrain itself to unsuspecting victims. This allows it to further propagate to other machines and networks and at the same time, ensure its survival. Other observations are around DLL files that could be injected into various processes to intercept outbound network traffic as well as gathering details within a web browser.

What Malware Family is Emotet Related To?

Emotet is part of a group that includes - and is loosely related to - the Bugat/Feodo/Geodo/Heodo/Cridex/Dridex malware banking families that have had their fair share of publicity over the past several years due to their widespread and destructive campaigns. Emotet has also been seen distributing AZORult, IcedID, ZeuS Panda, and TrickBot malware. Because of this, Emotet gained the attention of the AV industry, law enforcement, and researchers alike for its ability to simultaneously include multiple malware families in its distribution syndicate.

Who are Behind these Groups?

For a malware campaign to be successful over the long term, malware authors have to update their codebase and attack vectors on a regular basis to thwart detection and remediation. This is akin to a full time job, and although we don't have any evidence to the inner workings of these groups, it is evident that these syndicates treat it like a highly successful business with a team of dedicated developers and project leaders - with the only difference being that it is an illegal criminal enterprise.

What is the Status of Coverage?

FortiGuard Labs provides the following AV coverage against this latest version of Emotet as:


All network IOC's are blocked by the WebFiltering client.

Any Other Suggested Mitigation?

As it has been observed that TrickBot actors are now redistributing Emotet via its own botnet, it is imperative to be running up to date AV and IPS signatures.

It is also important to ensure that all known vendor vulnerabilities are addressed, and updated to protect from attackers having a foothold within a network. Attackers are well aware of the difficulty of patching and if it is determined that patching is not feasible at this time, an assessment should be conducted to determine risk.

Also - organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spear phishing attacks. They also need to encourage employees to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing and spear phishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization be made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Simple user awareness training on how to spot emails with malicious attachments or links could also help prevent initial access into the network.


Traffic Light Protocol

Color When Should it Be used? How may it be shared?


Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.


Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.


Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.


Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.