banner
Nov 16, 2021
18 Views
0 0

Emotet malware is back and rebuilding its botnet via TrickBot

Written by
banner

New Microsoft emergency updates fix Windows Server auth issues
7 million Robinhood user email addresses for sale on hacker forum
FBI system hacked to email ‘urgent’ warning about fake cyberattacks
High severity BIOS flaws affect numerous Intel processors
Windows 10 21H2 is released, here are the new features
Google Chrome 96 breaks Twitter, Discord, video rendering and more
Microsoft warns of the evolution of six Iranian hacking groups
WordPress sites are being hacked in fake ransomware attacks
Qualys BrowserCheck
STOPDecrypter
AuroraDecrypter
FilesLockerDecrypter
AdwCleaner
ComboFix
RKill
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Toksearches.xyz Search Redirect
Remove the Smashapps.net Search Redirect
Remove the Smashappsearch.com Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
eLearning
IT Certification Courses
Gear + Gadgets
Security
Emotet
The Emotet malware was considered the most widely spread malware in the past, using spam campaigns and malicious attachments to distribute the malware.
Emotet would then use infected devices to perform other spam campaigns and install other payloads, such as the QakBot (Qbot) and Trickbot malware. These payloads would then be used to provide initial access to threat actors to deploy ransomware, including Ryuk, Conti, ProLock, Egregor, and many others.
At the beginning of the year, an international law enforcement action coordinated by Europol and Eurojust took over the Emotet infrastructure and arrested two individuals.
German law enforcement used the infrastructure to deliver an Emotet module that uninstalled the malware from infected devices on April 25th, 2021.
Today, Emotet research group Cryptolaemus, GData, and Advanced Intel have begun to see the TrickBot malware dropping a loader for Emotet on infected devices.
This is our 3rd anniversary of Cryptolaemus1. Thanks for all the follows and sharing of intel these past 3 years! To celebrate, Ivan has released a new version of Emotet because he feels left out and wants to be part of the party. More details coming soon. As always watch URLHaus pic.twitter.com/Qwvel32ibB
While in the past Emotet installed TrickBot, the threat actors are now using a method that the Cryptolaemus group calls “Operation Reacharound,” which rebuilds the botnet using TrickBot’s existing infrastructure
Emotet expert and Cryptolaemus researcher Joseph Roosen told BleepingComputer that they had not seen any signs of the Emotet botnet performing spamming activity or found any malicious documents dropping the malware.
This lack of spamming activity is likely due to the rebuilding of the Emotet infrastructure from scratch and new reply-chain emails being stolen from victims in future spam campaigns.
Cryptolaemus has begun analyzing the new Emotet loader and told BleepingComputer that it includes new changes compared to the previous variants.
“So far we can definitely confirm that the command buffer has changed. There’s now 7 commands instead of 3-4. Seems to be various execution options for downloaded binaries (since its not just dlls),” Cryptolaemus researchers told BleepingComputer.
Advanced Intel’s Vitali Kremez has also analyzed the new Emotet dropper and warned that the rebirth of the malware botnet would likely lead to a surge in ransomware infections.

“It is an early sign of the possible impending Emotet malware activity fueling major ransomware operations globally given the shortage of the commodity loader ecosystem,” Kremez told BleepingComputer in a conversation.
“It also tells us that the Emotet takedown did not prevent the adversaries from obtainging the malware builder and setting up the backend system bringing it back to life.”
Samples of the Emotet loader dropped by TrickBot can be found at Urlhaus.
Kremez told BleepingComputer that the current Emotet loader DLL has a compilation timestamp of “6191769A (Sun Nov 14 20:50:34 2021).”
Malware tracking non-profit organization Abuse.ch has released a list of command and control servers utilized by the new Emotet botnet and strongly suggests network admins block the associated IP addresses.
Fresh, active Emotet botnet C2 servers are now being pushed to Feodo Tracker 

https://t.co/TvIJyqHYVs

We urge you to *BLOCK* these C2 servers and regularly update your block list to receive the maximum protection!

https://t.co/if21bBHTpo pic.twitter.com/sdySouHxxb
Unfortunately, the new Emotet infrastructure is growing rapidly, with over 246 infected devices already acting as command and control servers.
Network administrators are strongly advised to block all associated IP addresses to prevent their devices from being recruited into the newly reformed Emotet botnet.
Update 11/16/21: Updated to include source of Operation RA.
Flubot Android malware now spreads via fake security updates
Microsoft warns of surge in HTML smuggling phishing attacks
BotenaGo botnet targets millions of IoT devices with 33 exploits
TrickBot teams up with Shatak phishers for Conti ransomware attacks
Spammers use Squirrelwaffle malware to drop Cobalt Strike
Not a member yet? Register Now
New Microsoft emergency updates fix Windows Server auth issues
High severity BIOS flaws affect numerous Intel processors
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.

source

Article Categories:
Cybersecurity News
banner

Comments are closed.