The so-called Emotet malware is re-distributed after infections with the TrickBot malware. Several leading security researchers indicate that malicious parties want to use this to restore the Emotet botnet. Last spring, Europol and the German authorities took over the botnet and used the infrastructure to remove the malware from all infected computers.
Security researchers at Cryptolaemus, GData and Advanced Intel have recently noticed that criminals are using computers infected with Trickbot to re-roll the Emotet malware and restore the infamous botnet of the same name.
With this malware, all infected computers form a bot network; a group of computers that allows criminals to attack networks, send spam undetected or install even more complex malware. Botnets can consist of millions of computers, and the attack and spam campaigns that can be carried out with these botnets have profound consequences for businesses, services and consumers.
Until recently, the Emotet malware was one of the most widespread malware in the world. In January 2021, the infrastructure behind the botnet was taken over during a global campaign by Interpol, Eurojust and the authorities of eight countries. Two people involved in the action were arrested and the German authorities deployed the network in April 2021 to roll out a module that removes the installed malware.
Bleepingcomputer spoke to several researchers, which reveal that the malware has expanded and the network is growing again. The so-called ‘Command and Control Servers’ that control the botnet are back online and the ‘Command Buffer’ has been expanded from three or four to seven commands.
This means that the botnet can now install and distribute more types of malware. The researchers warn that while the botnet isn’t up and running yet, the recovery is likely a harbinger of massive spam, malware and ransomware campaign.
The anti-malware non-profit organization Abuse.ch tracks the growth of the botnet and provides administrators with a constantly updated list of IP addresses to add to their block list. Blocking these addresses prevents the Emotet malware from receiving instructions from the criminals running the network after infection.
Catch up on more articles here
Follow us on Twitter here