Emotet, once the world's most dangerous malware, is back

The Emotet botnet has returned and is being installed onto Windows machines that are already infected with TrickBot, warn security researchers.

Why hackers are targeting web servers with malware and how to protect yours

Emotet, once described as "the world's most dangerous malware" before being taken down by a major international police operation, is apparently back – and being installed on Windows systems infected with TrickBot malware.

Emotet malware provided its controllers with a backdoor into compromised machines, which could be leased out to other groups, including ransomware gangs, to use for their own campaigns. Emotet also used infected systems to send automated phishing emails to increase the size of the botnet – before it was taken out in January this year.  

Dismantling the botnet was one of the most significant disruptions of cyber-criminal operations in recent years, as law enforcement agencies around the world – including Europol and the FBI – worked together to gain control of hundreds of Emotet servers that controlled millions of PCs infected with malware. A specially crafted killswitch update created by investigators effectively uninstalled botnet from infected computers in April

SEE: A winning strategy for cybersecurity (ZDNet special report)

But now researchers from a number of cybersecurity companies have warned that Emotet has returned. Another malware botnet, TrickBot – which became the go-to for many cyber criminals following the January takedown – is being used to install Emotet on infected Windows systems. 

"We observed on several of our Trickbot trackers that the bot tried to download a DLL to the system. According to internal processing, these DLLs have been identified as Emotet. However, since the botnet was taken down earlier this year, we were suspicious about the findings and conducted an initial manual verification," Luca Ebach, security researcher at G Data, a German cybersecurity company, wrote in a blog post

"Currently, we have high confidence that the samples indeed seem to be a re-incarnation of the infamous Emotet," he added. 

Cybersecurity researchers from AdvIntel, Crypolaemus and others have also confirmed that this does look like the return of Emotet, which appears to be using a different encryption technique to the one that was previously seen. 

Currently, Emotet isn't attempting to redistribute itself, instead relying on TrickBot to spread new infections – but it does indicate that those behind Emotet are trying to get the botnet up and running again. 

"The relationship between this new variant and the old Emotet shows code overlap and technique overlap," James Shank, chief architect of community services and senior security evangelist at Team Cymru, a cybersecurity company that was among those that helped disrupt Emotet in January, told ZDNet in an email.  

"It will take some time to see how Emotet rebuilds, and whether it can become the 'world's most dangerous malware' again. You can be sure that those that helped to take it down the first time are keeping watch. It doesn't come as a surprise that Emotet resurfaced. In fact, more may wonder why it took so long," he added. 

SEE: This mysterious malware could threaten millions of routers and IoT devices

Cybersecurity researchers have provided a list of command and control servers network administrators can block to help prevent Emotet infections. 

In order to protect systems from falling victim to Emotet, Trickbot and other malware loaders, it's recommended that security patches are applied when they're released to prevent cyber criminals exploiting known vulnerabilities, and that users are made aware of the dangers of phishing emails. 

MORE ON CYBERSECURITY