The once-infamous botnet Emotet, which disappeared for some time after being struck hard by global law enforcement in early 2021, is now making a comeback and gaining momentum. According to websites such as Securityaffairs, Emotet has grown rapidly since its comeback in November last year, infecting about 130,000 hosts in 179 countries.
First discovered in 2014, Emotet initially spread as a banking Trojan virus, but as it evolved, it grew to include more and more malicious programs such as Trickbot and QBot, as well as ransomware Conti, ProLock, Ryuk, and Egregor, forming a vast botnet. In November 2021, researchers from several cybersecurity companies (Cryptolaemus, GData, and Advanced Intel) reported that attackers were using TherickBot malware to drop Emote loaders on compromised devices, and experts tracked activities aimed at rebuilding the Emotet botnet using TrickBot’s infrastructure.
The researchers note that the new Emotet has some new features:
In addition to circumventing detection and analysis, it is also possible to encrypt network traffic and separate the list of processes into its own modules;
Elliptic Curve Encryption (ECC) scheme is used to replace RSA encryption for network traffic protection and verification;
The new version deploys the process list module only after a connection is established with C2;
More information collection has been added for better system analysis, whereas previously Emotet only sent back a list of running processes.
But similar to the previous version, most of Emotet’s C2 infrastructure is located in the United States and Germany, followed by France, Brazil, Thailand, Singapore, Indonesia, Canada, the United Kingdom, and India, and in the case of robotics (Bot), the focus is on Japan, India, Indonesia, Thailand, South Africa, Mexico, the United States, China, Brazil, and Italy. Analysts believe that the top countries are due to the fact that these regions have a large number of outdated and vulnerable Windows devices.
Earlier last year, law enforcement agencies from the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada, and Ukraine operated to damage Emotet-related infrastructure. From this point of view, this operation was not complete, resulting in Emotet’s resurgence after more than half a year of silence.
