The Emotet botnet was the most widely spread malware used for spam campaigns and malicious file attachments in the previous years and is also known for infecting devices to install payloads like TrickBot malware and Qbot. The hackers would then utilise these payloads to create access for threat actors who deploy ransomware, such as Conti, ProLock, Egregor, and Ryuk.
Earlier this year, the joint task force of Europol and Eurojust arrested two individuals from the botnet threat group that led to the temporary derailing of its entire operations. The threat group wants a comeback after getting busted by law enforcement, and recently, researchers have begun to notice the TrickBot malware spreading a loader for the botnet on compromised devices.
Even though Emotet is not operating right now, its presence is felt across since a group of threat actors are using a method called “Operation Reacharound” to revive the Emotet botnet using the remaining TrickBot malware existing infrastructure.
However, some experts stated that they have not yet noticed any signs of the botnet conducting a spamming campaign or identified any malicious documents dropping the Emotet malware.
The researchers then added that the lack of spamming campaigns by the threat actors goes to show that they are currently in the rebuilding process. The Emotet infrastructure is being rebuilt from zero, and new reply-chain emails being stolen from victims will be used for their future spamming campaigns.
In addition, these researchers in charge of analysing the rebuilding the botnet loader stated that it includes all new upgrades compared to its past variants.
How do people defend against the newly upgraded Emotet botnet?
A malware tracking non-profit organisation (NGO) has revealed a list of command-and-control servers used by the new Emotet botnet and strongly urges network administrators to block the associated IP addresses. However, the newly upgraded botnet is evolving and growing at an extreme pace. Researchers noticed that about 250 infected devices are already reacting and serving as a command-and-control server.
Researchers suggest that network administrators should already act in blocking all affiliated IP addresses to make sure their devices are not being linked into the new and improved Emotet Botnet.