[MART] - Daily Diary #390 - Emotet Malware Is Back
CTAS-MAT
ctas-mat at appgate.com
Mon Nov 15 22:03:29 UTC 2021
Hello,
I hope everyone is doing well!
Below is the entry for today.
11/15/2021 - Diary entry #390:
Emotet is a modular malware that evolved from a simple banking trojan to one of the most relevant botnets in the wild. Covered in our Daily Diaries #194 and #195, Emotet botnet was disrupted in January 2021, in a coordinated effort between Europol and the authorities from United States, Netherlands, Germany, United Kingdom, Canada, Ukraine, Lithuania, and France. Later in April, German law enforcement used the remaining infrastructure to deliver an Emotet module to uninstall the malware from infected devices.
Now, a new loader for Emotet has been spotted being dropped by TrickBot, another malware that had its infrastructure disrupted in October 2020. However, as covered in our Daily Diary #303, TrickBot reappeared in July 2021, with new modules implemented. This new Emotet malware reveals that its botnet is being rebuilt from scratch, using TrickBot's existing infrastructure. Compared with its previous variants, it now contains 3 or 4 more commands that correspond to execution options for downloaded binaries.
It's not clear if this new version is developed by the same threat actors as before, or if it's the work of another gang with access to the source code. Takedowns like these against Emotet, TrickBot, and Ransomware operations are effective, but it's very hard to arrest or retire all the involved members. Their remaining threat actors usually rebrand themselves and/or re-use their infrastructures and malware source codes to continue to pursue their objectives. Also, the malware binaries and source codes are still in the wild, so it's very common for other cybercrime groups to compile their own version adapted to their purposes.
Kind Regards,
[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>
[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/> [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity> [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>
Felipe Tarijon de Almeida
Malware Analyst
Appgate
E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
O: +55 11 97467 9549
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20211115/daf5ec58/attachment.htm>
More information about the MART
mailing list