Emotet, today's most dangerous botnet, comes back to life

Emotet botnet resumes malspam operations after going silent for nearly four months.
Written by Catalin Cimpanu, Contributor

Emotet, one of today's largest and most dangerous malware botnets, has returned to life after a period of inactivity that lasted nearly four months, since the end of May this year.

During that time, the botnet's command and control (C&C) servers had been shut down, and Emotet stopped sending out commands to infected infected bots, and new email spam campaigns to infect new victims.

Some security researchers hoped that law enforcement had secretly found a way to shut down the prodigious botnet; however, it was not to be.

New spam campaigns

Emotet started spewing out new spam emails today, Raashid Bhat, a security researcher at SpamHaus, told ZDNet.

According to Bhat, the emails contained malicious file attachments or links to malware-laced downloads. The spam campaign that started spewing today from Emotet's infrastructure is primarily aimed at Polish and German-speaking users.

Users who receive these emails, and download and execute any of the malicious files are exposing themselves to getting infected with the Emotet malware.

Once infected, computers are added to the Emotet botnet. The Emotet malware on infected computers acts as a downloader for other threats.

Emotet is known to deliver modules that can extract passwords from local apps, spread laterally to other computers on the same network, and even steal entire email threads to later re-use in spam campaigns.

In addition, the Emotet gang is also known to run their botnet as a Malware-as-a-Service (MaaS), where other criminal gangs can rent access to Emotet-infected computers and drop their own malware strains alongside Emotet.

Some of Emotet's most well-known customers are the operators of the Bitpaymer and Ryuk ransomware strains, which have often rented access to Emotet-infected hosts to infect enterprise networks or local governments with their ransomware strains.

Emotet revival was expected

Today's Emotet revival was not a total surprise for security researchers. The Emotet C&C servers went down at the end of May, but they actually came back to life at the end of August.

Initially, they didn't start sending out spam right away. For the past few weeks, the C&C servers have been sitting idly, serving binaries for the Emotet "lateral movement" and "credentials stealing" modules, Bhat told ZDNet in an interview today.

Bhat believes the Emotet operators have spent the last few weeks re-establishing communications with previously infected bots that they abandoned at the end of May, and spreading across local networks to maximize the size of their botnet before moving on to their main operation -- sending out email spam.

This ramp-up period was predicted by several security researchers last month, when the Emotet crew turned on the lights on the C&C servers.

The fact that Emotet operations went dead for a few months is not really a "new thing." Malware botnets often go inactive for months for different reasons.

Some botnets go dark to upgrade infrastructure, while other botnets go down just because operators take vacations. For example, the Dridex botnet regularly goes down each year between mid-December and mid-January, for the winter holidays.

At the time of writing, it is unclear why Emotet has shut down over the summer. Nonetheless, the botnet came back in its previous state, continuing to operate using a dual infrastructure model, effectively running on two separate botnets.

TrickBot replaced Emotet as top botnet

But even if Emotet shut down operations for nearly four months, other botnets didn't take a break. While Emotet had been down, the operators of the TrickBot botnet have taken the title of the most active malware operation on the market.

Emotet and TrickBot share many similarities. Both were banking trojans that were re-coded to work as malware loaders -- malware that downloads other malware.

Both infect victims and then download other modules to steal credentials or move laterally across a network. Furthermore, they both sell access to infected hosts to other malware gangs, such as cryptocurrency mining operations and ransomware operators.

With TrickBot operations in full stride, Emotet coming back to life is bad news for system administrators in charge of protecting enterprise and government networks, both botnets' favorite targets.

Security researchers and system administrators looking for file hashes, server IP addresses, spam email subject lines, and other indicators of compromise (IOCs) can find this data freely shared on Twitter. Cryptolaemus, a group of security researchers tracking the Emotet botnet, are also expected to publish free threat intel data later today.

The world's most famous and dangerous APT (state-developed) malware

Editorial standards