Back in January 2021, cyber pros rejoiced as a global sting operation by law enforcement agencies dismantled the Emotet botnet for good.
The takedown was celebrated as an example of the power of collaboration in the face of global security threats and had an immediate impact on the cyber criminal underground.
But in the past few days, alarming signs have emerged that Emotet is back in operation, prompting fears of a renewed campaign of malicious activity. So, what has happened? And how concerned should defenders be?
Emotet started out as a relatively run-of-the-mill banking trojan back in 2014, but over the intervening years was developed and refined by its creators into a highly sophisticated botnet used as a delivery mechanism – a loader in cyber parlance – for other nasties such as malware and ransomware.
By late 2020, Emotet had come to form a key part of the cyber crime-as-a-service economy, leased to malicious actors as a means of accessing targets to steal and ransom data.
The Ryuk ransomware crew was one of Emotet’s more reliable customers, among many others, and more on this link later.
At the peak of its activity, Emotet was a highly effective and dangerous threat, with its operators considered masters of social engineering techniques such as bespoke spear phishing emails – used to encourage targets to infect themselves.
Not so fast
Its January takedown was therefore rightly celebrated, but even at the time, many security experts tempered their enthusiasm and said it was likely Emotet would eventually reemerge in some form.
Among them were Mandiant’s Kimberly Goody, who said at the time it was likely that some of Emotet’s partner operations, such as Trickbot, Qakbot and Silentnight, could be leveraged to rebuild the botnet.
Something of this nature does indeed now seem to have happened. Initial signs that Emotet was resurfacing began to appear on the evening of 14 November, when security analysts at GData stumbled upon evidence from their Trickbot trackers that the bot was trying to download a dynamic link library (DLL) to the system. Subsequent analysis revealed the DLLs to be Emotet, and by the next morning, as others confirmed the link, the news was spreading fast.
According to conversations between Lawrence Abrams of Bleeping Computer, who was one of the first to report Emotet’s emergence, and security researchers, the botnet’s operators appear to have been rebuilding it using infrastructure belonging to Trickbot – as theorised by Goody at Mandiant – and it likely heralds a surge of activity, particularly among ransomware operators, many of whom have found themselves on the back foot of late.
The Mummy and the Wizard
Crowdstrike’s senior vice-president of intelligence, Adam Meyers, said the botnet’s re-emergence, which he credited to the strong prior relationship between Emotet and Trickbot’s operators (which Crowdstrike tracks as Mummy Spider and Wizard Spider respectively) was a sign of “how resilient the e-crime milieu has become”.
Meyers suggested it was possible that Wizard Spider may in fact have taken over Emotet for itself in some form. Note, incidentally, that Wizard Spider also counts the Ryuk and Conti ransomwares in its arsenal.
Radware threat intelligence director Pascal Geenens said it was likely that Emotet was working with Trickbot to gain a large foothold quickly, to a point where it can resume self-sustaining growth, and suggested it was only a matter of time before this happened.
“Given the number of successful extortion campaigns and enormous payouts involving ransomware in recent history, there should be plenty of demand for malware-as-a-service platforms by ransomware operators,” said Geenens.
“The timing is as good as any to get back in business for the actors that were able to sustain one of the largest and most prolific malware platforms in cyber crime history.”
Digital Shadows’ Stefano De Blasi said it was likely Emotet would be taken up with enthusiasm. “Many cyber criminal groups may return to Emotet as a tried and tested approach, although these changes will likely be reflected over several months,” he said.
“It will undoubtedly take some time to rebuild Emotet’s infrastructure, however, its massive reputation in the cyber criminal community makes it a predictable choice for many threat actors looking to expand their operations.”
What next?
Emotet may be back, but at the time of writing its impact appears to still be somewhat limited – although there are already indicators that it is being used in spam campaigns.
“To protect themselves, it is really down to organisations ensuring they identify compromised hosts quickly and remediate,” said Crowdstrike’s Meyers.
“Based on our research on breakout time – i.e. the time it takes for an adversary to move laterally within a victim environment – security teams should detect threats on average in one minute, understand them in 10 minutes and contain them in 60 minutes to be effective at stopping breaches.”
For now, said Jen Ellis, vice-president of community and public affairs at Rapid7, there is little out of the ordinary that defenders need to actually do.
“From the information available, it seems that even though they are still in the early stages of rebuilding their network, Emotet is already sending out spam,” she said. “This seems to indicate that we can expect to see Emotet’s controllers resuming operations very much as they did before the takedown in January.
“Since then though, we have seen law enforcement and the private sector work more closely together on other unified actions to deter and disrupt attacker groups. They will be watching this development closely and I suspect they will already be considering potential actions to stop Emotet returning to the supremacy it once enjoyed.
“In the meantime, it’s business as usual for security professionals,” said Ellis. “The name Emotet may strike fear in their hearts, but the reality is they are under attack every day and all the same measures needed to defend against those attacks are the same for Emotet. Timely patching, effective identity and access management strategies, network segmentation, regular offline backups, email filtering, and user awareness are all core components of a defence-in-depth and business resilience strategy.”
Appgate researcher Felipe Duarte Domingues had similar advice for defenders. “IT managers and cyber security teams need to manage this new Emotet version as any other malware threat, deploying reasonable security measures and training employees against social engineering attacks like e-mails and phishing,” he said.
“It’s important to notice that those new capabilities show the actors are focusing on executing other malware along with Emotet. Botnets like Trickbot are often used to spread and move laterally into a network, and even deploy ransomware.
“Adopting a zero-trust model is important for any organisation that wants to be protected against Emotet or any other botnet [or] ransomware threat. By assuming all connections can be compromised and segmenting your network, you can limit the affected systems and the threat actions to a single perimeter, and increase the chance of detecting malicious behaviours inside your network.”
Rapid response
On the upside, Doug Britton, CEO of Haystack Solutions, a US-based security services firm, said it may be a positive sign that Emotet was spotted and identified so quickly.
“Emotet is a pervasive piece of malware and indicative of the recycling and evolution in malware delivery techniques,” he said. “It is very interesting to see this in an early inning in the restructuring and rebuilding of Emotet and its bot-spamming infrastructure.
“It is promising to hear that researchers have proactively identified this. Cyber professionals are critical in the fight against the persistent threat of evolving malware. As we can see, bad actors are developing the pipes to deliver malware on a massive scale.”