Like Arnold Schwarzenegger's Terminator, the dreaded Emotet malware is back infecting computers worldwide and once again putting organizations at heightened risk of subsequent ransomware attacks.
Researchers from Check Point this week reported recently observing Emotet samples being dropped on systems that previously had been infected with banking-Trojan-turned-malware-downloader Trickbot. The new Emotet malware began surfacing on Nov. 15, or about 10 months after law enforcement authorities took its infrastructure down in a coordinated effort that spanned multiple countries.
Since Nov. 15, the volume of Emotet malware that Check Point has spotted has continued to grow daily and is now at least 50% of the volume before the January 2021 takedown. The malware is spreading both via Trickbot and via malicious spam messages that are being sent from infected systems to other computers worldwide. The spam emails attempt to get users to download a password-protected zip file containing malicious documents that, when opened, results in the computer getting infected with Emotet.
The malware's reemergence is troublesome for enterprises because of how extensively it was tied to ransomware attacks before the January takedown. Emotet is designed to harvest email addresses, steal credentials, distribute spam, enable lateral movement, download other malware — including Trickbot — and for other malicious activities.
The business model of its operators, before being forced offline in January, was to infect networks and to later sell access to that network to other threat actors — most notably ransomware operators, says Lotem Finkelstein, head of threat intelligence at Check Point.
"[Between] 2018 and 2020, Emotet facilitated the success of ransomware, and its return in late 2021 is a warning sign for 2022," Finkelstein says. "Emotet infection, or even an infection attempt, is the best early [indicator of] future ransomware infections," he says.
In the months the malware was dormant, the authors of Emotet have tweaked its features and made it more capable. One example is the new variant's use of elliptic curve cryptography (ECC) instead of the weaker RSA cryptography in the previous version, for encrypted communications. Emotet's authors also have added a new tweak to the initial infection vector in the form of malicious Windows app installer packages that imitate legitimate software, Check Point said in its report.
Check Point is the latest security vendor to sound the alarm on Emotet's return. Last month, Deep Instinct reported on the reemergence of the malware and analyzed some of its updates, including new tricks for downloading on a system and for evasion.
This week, Intel 471 updated a blog post from last month explaining how the latest Emotet variant is different from its predecessor. The threat intelligence firm discovered that many parts of the new Emotet are identical to the malware in January, but some are different. For instance, the old version used an RSA key to encrypt the key used to encrypt all malware traffic. The new version uses ECC.
In addition, Emotet's authors have made some changes to the communication protocol, introduced a new process checking module, and made some tweaks to its obfuscation mechanisms, Intel 471 said. Significantly, the company discovered the new Emotet is being distributed via two distinct botnets currently being tracked as Epoch4 and Epoch5.
Meanwhile, Cryptolaemus, an independent group of security researchers that has been tracking the Emotet threat, said they had observed the malware now being used to drop post-exploit Cobalt Strike Beacons on infected systems.
Same Threat Actor Likely Behind New Variant
Finkelstein says there's nothing to suggest a new player is behind the latest variant. "We believe it is the same actor; at least, some of the criminal minds behind the old Emotet are also involved with the new Emotet," he notes. "Whoever is responsible for the revamped Emotet knows much about the faults of the old version, and acts to improve it."
In resurfacing, Emotet has become the latest example of the resilience that some cyber operators have shown against even the most concerted takedown efforts. At the time of its takedown in January, the Emotet botnet was made up of some 1.6 million systems that were being used for a variety of malicious purposes, including malware and spam distribution and data harvesting. Some 45,000 of the infected hosts were in the US. The command-and-control infrastructure for managing the botnet included hundreds of servers scattered around the world.
As part of the takedown operation, law enforcement agencies from the US, Canada, the UK, the Netherlands, France, and other countries took control of Emotet servers in their respective jurisdictions. They then installed software that neutralized the ability for the malware operators to control infected systems. In some cases, law enforcement deployed software for getting rid of Emotet from infected systems.
The fact that the malware is back speaks to the globalized nature of the Emotet operation, which US authorities have estimated has already caused several hundreds of millions of dollars in damages.
"Because they are a distributed global organization, it requires perfect [synchronization]" to shut the operation down completely, Finkelstein says. Also, the need to apprehend the masterminds behind the operation is key, he says.
Emotet's reappearance is also a testament to the success of the collaboration its operators have with the actors behind Trickbot — a highly modular malware family that started off in 2016 as a banking Trojan but is now widely used to distribute malware. Law enforcement authorities attempted to disrupt the Trickbot operation in a major initiative in October 2020, but it continues to operate like before. Trickbot was the most prevalent malware in May, June, and October this year, and the malware has infected over 140,000 systems worldwide in the last 11 months, Check Point found.
As with Emotet's operators, the threat actor behind Trickbot, too, has been associated with various ransomware campaigns, including Ruyk and Conti. In 2020, Trickbot, along with Emotet, was used to deliver Ryuk ransomware in a campaign that caused massive damage.
"Emotet and Trickbot have always been working together," Finkelstein says. "They opened the door to each other, and basically made a business out of their collaboration." So, he addds, it's no surprise that Trickbot has facilitated an Emotet revival.