Why is Emotet back and should we be worried?
In January 2021, cyber pros rejoiced when a worldwide undercover operation by law enforcement permanently dismantled the Emotet botnet.
The pullout was celebrated as an example of the power of collaboration in the face of global security threats and had an immediate impact on the underground cybercriminal.
But over the past few days, alarming signs have surfaced that Emotet is back up and running, raising fears of yet another campaign of malicious activity. So what happened? And how concerned should defenders be?
Emotet started out as a relatively mundane banking Trojan in 2014, but over the next few years it was developed and refined by its creators into a very sophisticated botnet used as a delivery mechanism – a loader in computer parlance – for other bad guys such as malware and ransomware.
By the end of 2020, Emotet had become a key part of the cybercrime economy as a service, leased to malicious actors as a means to access targets to steal and ransom data.
The Ryuk ransomware team was one of Emotet’s most trusted clients, among many others, and more at this link later.
At the height of its business, Emotet was a very effective and dangerous threat, with its operators considered masters of social engineering techniques, such as bespoke spear phishing emails, used to encourage targets to become infected. .
Not so fast
His January pullout was therefore rightly celebrated, but even then many security experts tempered their enthusiasm and said it was likely that Emotet would eventually reappear in some form or another.
Among them was Mandiant’s Kimberly Goody, who said at the time that it was likely that some of Emotet’s partner operations, such as Trickbot, Qakbot and Silentnight, could be used to rebuild the botnet.
Something of this nature now seems to have happened. The first signs that Emotet is resurfacing began to appear on the evening of November 14, when security analysts at GData came across evidence from their Trickbot trackers that the bot was trying to download a dynamic link library (DLL ) on the system. Subsequent analysis revealed that the DLLs were Emotet, and the next morning, as others confirmed the link, the news spread quickly.
From conversations between Lawrence Abrams of Beeping computer, which was one of the first to report the emergence of Emotet, and security researchers, botnet operators seem to have rebuilt it using infrastructure owned by Trickbot – as theorized by Goody to Mandiant – and that probably signals an increase in activity, especially among ransomware. operators, many of whom have found themselves late lately.
The mummy and the sorcerer
Crowdstrike Senior Vice President of Intelligence Adam Meyers said the botnet’s reemergence, which he attributed to the earlier strong relationship between Emotet and the Trickbot Operators (which Crowdstrike follows as the Mummy Spider and Wizard Spider respectively) was a sign of “how resilient the cybercrime community has become”.
Meyers suggested that it was possible that Wizard Spider actually picked up Emotet for himself in some form or another. Note, incidentally, that Wizard Spider also has Ryuk and Conti ransomware in its arsenal.
Radware’s Threat Intelligence Director Pascal Geenens said it was likely that Emotet would work with Trickbot to gain a foothold quickly, to the point that it could resume self-sustaining growth, and suggested it was only ‘it’s a matter of time before that happens.
“Considering the number of successful extortion campaigns and huge payments involving ransomware in recent history, there is expected to be a strong demand for malware platforms as a service from malware operators. ransomware, ”Geenens said.
“Now is a great time to get back to business for the players who have been able to maintain one of the largest and most prolific malware platforms in cybercrime history. “
Stefano De Blasi of Digital Shadows said it was likely Emotet would be taken with gusto. “Many groups of cybercriminals could return to Emotet as a proven approach, although these changes will likely be reflected over several months,” he said.
“It will undoubtedly take some time to rebuild Emotet’s infrastructure, however, its massive reputation in the cybercriminal community makes it a predictable choice for many threat actors looking to expand their operations.”
After that ?
Emotet may be back, but at the time of writing, its impact still seems somewhat limited – although there are already indicators that it is being used in spam campaigns.
“To protect themselves, it’s really incumbent on organizations to make sure they quickly identify compromised hosts and remediate them,” said Meyers of Crowdstrike.
“Based on our research on break-through time, which is the time it takes for an adversary to move sideways in a victimized environment, security teams need to detect threats on average in one hour. minute, understand them in 10 minutes and contain them in 60 minutes to be effective. to stop the breaches.
Right now, said Jen Ellis, vice president of community and public affairs at Rapid7, there is little out of the ordinary that advocates really need to do.
“From the information available, it appears that even though they are still in the early stages of rebuilding their network, Emotet is already sending spam,” she said. “This seems to indicate that we can expect Emotet’s controllers to resume operations as they did before the dismantling in January.
“Since then, however, we have seen law enforcement and the private sector working more closely together on other unified actions to deter and disrupt attacking groups. They will be watching this development closely and I suspect they will already be considering potential actions to prevent Emotet from regaining the supremacy he once enjoyed.
“Until then, it’s business as usual for security professionals,” Ellis said. “The name Emotet may sow fear in their hearts, but the reality is that they are attacked every day and all of the same measures needed to defend against these attacks are the same for Emotet. Quick fixes, effective identity and access management strategies, network segmentation, regular offline backups, email filtering, and user awareness are all essential elements of a defense-in-depth strategy. and business resilience.
Appgate researcher Felipe Duarte Domingues gave similar advice to defenders. “IT managers and cybersecurity teams need to handle this new version of Emotet like any other malware threat, deploying reasonable security measures and training employees against social engineering attacks like email and email. phishing, ”he said.
“It’s important to note that these new features show that the players are focused on running other malware with Emotet. Botnets like Trickbot are often used to spread and move sideways in a network, and even deploy ransomware.
“Adopting a zero trust model is important for any organization that wishes to be protected against Emotet or any other botnet. [or] ransomware threat. By assuming that all connections can be compromised and segmenting your network, you can limit affected systems and threat actions to a single perimeter, and increase the chances of detecting malicious behavior inside your network.
On the bright side, Doug Britton, CEO of Haystack Solutions, a US-based security services company, said it could be a positive sign that Emotet has been spotted and identified so quickly.
“Emotet is pervasive malware and an indicator of recycling and evolving malware delivery techniques,” he said. “It’s very interesting to see this at the start of the restructuring and rebuilding of Emotet and its bot-spamming infrastructure.
“It’s promising to hear that researchers have proactively identified this. Cyber professionals play a critical role in tackling the persistent threat of evolving malware. As we can see, bad actors are developing pipes to spread malware on a large scale. “