Security News > 2021 > November > Emotet stages a comeback via Trickbot and spam
In January 2021, law enforcement and judicial authorities worldwide moved together to perform a global takedown of the Emotet botnet, and in April 2021 they performed a coordinated, widespread uninstall of the malware from infected machines via a module they propagated in January, effectively crippling the botnet.
According to the researchers, whoever is trying to bring the Emotet botnet back online has started by using the Trickbot botnet to drop the malware, and then added the tried and tested method of sending spam with attachments and links to it.
Emotet botmasters are counting on users to be tricked into enabling macros so that the malware can be delivered.
Luca Ebach, a malware researcher with G Data, says that the new Emotet variants use different encryption to hide data.
"It's important to notice that those new capabilities show the actors are focusing on executing other malware along with Emotet. Botnets like Trickbot are often used to spread and move laterally into a network, and even deploy ransomware. Adopting a ZeroTrust model is important for any organization that wants to be protected against Emotet or any other botnet/ransomware threat. By assuming all connections can be compromised and segmenting your network, you can limit the affected systems and the threat actions to a single perimeter and increase the chance of detecting malicious behaviors inside your network."
Westman says IT managers and cyber security teams need to reviewed their old Emotet detections, grab and check new IOCs/IOAs, and review/block Emotet domains provided by Abuse.