Emotet malware is back, and potentially nastier than ever

News
By published

Brace for impact, warn researchers

Botnet
(Image credit: Shutterstock / BeeBright)

Cybersecurity professionals have once again begun to see threat actors drop malware in a bid to revive the infamous Emotet botnet.

In January this year, law enforcement agencies in Europe and North America joined forces as part of a coordinated effort to disrupt and take down the Emotet botnet.

However, multiple security vendors and experts, including Cryptolaemus, GData, and Advanced Intel have detected activity that points to Emotet’s imminent return.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

“On Sunday, November 14, at around 9:26pm UTC we observed on several of our Trickbot trackers that the bot tried to download a DLL to the system. According to internal processing, these DLLs have been identified as Emotet….Currently, we have high confidence that the samples indeed seem to be a re-incarnation of the infamous Emotet,” asserts GData.

Back from the dead?

The Emotet malware had evolved into the go-to solution for cybercriminals who used its infrastructure to gain access to targeted systems on a global scale. Its operators then sold this access to other cybercrime groups for deploying ransomware including Ryuk, Conti, ProLock, Egregor, and several others.

Reporting on the development, BleepingComputer notes that in an apparent change of tactics, the threat actors behind Emotet’s revival are now using a method dubbed “Operation Reacharound” to rebuild the Emotet botnet using TrickBot's existing infrastructure.

Emotet research group Cryptolaemus has begun analyzing the new Emotet loader, and has detected changes compared to the past. 

"So far we can definitely confirm that the command buffer has changed. There's now 7 commands instead of 3-4. Seems to be various execution options for downloaded binaries (since its not just dlls)," noted Cryptolaemus researchers.

Researchers also added that although they had not seen any signs of the Emotet botnet performing spamming activity or found any malicious documents dropping the malware, it’s only a matter of time.

"It is an early sign of the possible impending Emotet malware activity fueling major ransomware operations globally given the shortage of the commodity loader ecosystem," Advanced Intel's Vitali Kremez told BleepingComputer.

It's time to batten down the hatches with the help of these best firewall apps and services, and ensure your computers are protected with these best endpoint protection tools.

TOPICS
Mayank Sharma
Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Read more
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
A digital representation of a lock
Exploits on the rise: How defenders can combat sophisticated threat actors
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
TP-Link and NR routers targeted by worrying new botnet
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Dangerous new botnet targets webcams, routers across the world
An image of network security icons for a network encircling a digital blue earth.
Why effective cybersecurity is a team effort
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Industrial routers are being hit by zero-days from new Mirai botnets
Latest in Security
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple H3C Magic routers hit by critical severity remote command injection, with no fix in sight
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
An abstract image of digital security.
Fake file converters are stealing info, pushing ransomware, FBI warns
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Coinbase targeted after recent Github attacks
Latest in News
girl using laptop hoping for good luck with her fingers crossed
Windows 11 24H2 seems to be a massive fail – so Microsoft apparently working on 25H2 fills me with hope... and fear
ChatGPT Advanced Voice mode on a smartphone.
Talking to ChatGPT just got better, and you don’t need to pay to access the new functionality
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple H3C Magic routers hit by critical severity remote command injection, with no fix in sight
Apple Watch Ultra 2 timer
The Apple Watch is getting a sleep alarm upgrade it probably should have had 10 years ago
Nikon Z5
The Nikon Z5 II could land soon – here's what to expect from Nikon's rumored entry-level full-frame camera
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
More about security
An abstract image of a lock against a digital background, denoting cybersecurity.

Critical security flaw in Next.js could spell big trouble for JavaScript users
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol

Multiple H3C Magic routers hit by critical severity remote command injection, with no fix in sight
Collage of tech on offer in the Amazon Big Spring Sale, including a Fire TV, Samsung laptop, Sony headphones, Echo Dot, Kindle, DJI Osmo and Ninja air fryer

The Amazon Spring Sale is here and I've picked the 22 best deals actually worth buying
See more latest
Most Popular
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
girl using laptop hoping for good luck with her fingers crossed
Windows 11 24H2 seems to be a massive fail – so Microsoft apparently working on 25H2 fills me with hope... and fear
ChatGPT Advanced Voice mode on a smartphone.
Talking to ChatGPT just got better, and you don’t need to pay to access the new functionality
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple H3C Magic routers hit by critical severity remote command injection, with no fix in sight
Teenager playing on a gaming PC with two monitors
Samsung's OLED monitors are about to get much cheaper - and it's about time
Apple Watch Ultra 2 timer
The Apple Watch is getting a sleep alarm upgrade it probably should have had 10 years ago
Nikon Z5
The Nikon Z5 II could land soon – here's what to expect from Nikon's rumored entry-level full-frame camera
Google Pixel Watch 3
Google Pixel Watches hit with delayed notifications, crashing, and performance issues following Wear OS 5.1 update
Frank Castle pinning Matt Murdock against a locker in Daredevil: Born Again episode 4
What time is Daredevil: Born Again episode 5 going to be released on Disney+?
AMD Ryzen 9950X
I analyzed 25 AMD Zen 4 and Zen 5 CPUs and the Ryzen 9 9900X is the best of them all right now: Here’s why