Researchers Spot Comeback of the Emotet BotnetEmotet's Sibling, Trickbot, is Helping
The Emotet botnet, which was hampered by law enforcement actions earlier this year, is making a comeback. The resurgence is due to help from old friends: cybercriminals running the Trickbot botnet.
Several cybersecurity firms and researchers pointed out on Monday that the Trickbot botnet has begun distributing Emotet.
"Smells like Emotet, looks like Emotet, behaves like Emotet - seems to be Emotet," writes Cyber.wtf, one of the blogs for the German security company G Data.
The development is concerning but not surprising for those fighting large-scale botnets. Emotet and Trickbot were essentially run by different departments of one cybercriminal organization that's based in Russia, says Alex Holden, CISO of Hold Security, a Wisconsin-based security consultancy that studies the cybercriminal underground.
Researchers have long noticed close associations, with Emotet distributing Trickbot and vice versa. Both have been linked to the distribution of ransomware, including Ryuk and Conti.
"We knew that it [Emotet] would come back," Holden says. "It was a matter of time.
The return may signal more battles are ahead. Emotet was the "biggest and baddest" botnet before it was taken down, says James Shank, senior security evangelist and chief architect, community services with Team Cymru.
A new version of Emotet is being distributed by Trickbot, says Marcus Hutchins, a malware researcher with Kryptos Logic who is also part of Cryptolaemus, a notable group of top security researchers and systems administrators dedicated to fighting Emotet. Emotet's return will likely eventually mean greater distribution of ransomware, and those running Emotet "will sell access to other botnets/actors," Hutchins says.
Cryptolaemus noted that Emotet reappeared on the group's third anniversary.
"To celebrate, Ivan has released a new version of Emotet because he feels left out and wants to be part of the party," Cryptolaemus tweeted as a joke, using Ivan as a substitute for Russia.
Fresh, active Emotet botnet C2 servers are now being pushed to Feodo Tracker— abuse.ch (@abuse_ch) November 15, 2021
We urge you to *BLOCK* these C2 servers and regularly update your block list to receive the maximum protection!
Emotet, Trickbot: One-Two Punch
Emotet was often the initial malware that would end up on a system and deliver other malware such as Trickbot. Victims were infected by clicking an infected email attachment, such as an Office document or a malicious URL. Trickbot was designed to exfiltrate data and is more of an exploitation framework.
A blog post from the cybersecurity firm Cybereason in April 2019 illustrates the relationship between the two. Emotet infected a computer and then downloaded Trickbot, which then downloaded the Ryuk ransomware (see: Russian National Charged With Laundering Ryuk Ransoms).
That infection pattern is what happened to Northshore School District in Bothell, Washington, in 2019. The school district spent weeks recovering after a Ryuk infection (see: The Ransomware Files, Episode 1: The School District).
Emotet was dealt a blow in January by law enforcement agencies, in part due to operational mistakes by its operators. Eight countries and Europol shut down hundreds of servers worldwide that were part of Emotet's infrastructure.
In April, law enforcement authorities also undertook took a fairly aggressive step by using Emotet's own infrastructure to send an update to infected computers that removed the malware. Emotet infected more than 1.6 million computers and caused hundreds of millions of dollars in damages, according to the U.S. Department of Justice.
Shank says that just because Emotet is emerging after 10 months doesn't mean the law enforcement effort was a failure. In fact, the Emotet operation marked new levels of cooperation between law enforcement agencies and the private sector. The operation has become a de facto template for future ones, he says.
"This looks like a win for the bad guys [but] in my opinion the fact that it took nine or 10 months for Emotet to come back speaks to the efficacy of the first takedown," Shank says.
Law enforcement agencies also took aim at Trickbot. In October 2020, a court allowed Microsoft and a global group of security companies to disable IP addresses and disrupt the command-and-control servers used by Trickbot.
Trickbot was considered a key player in the malware-as-a-service economy and had infected as many as 1 million machines since 2016. But botnets are designed for resiliency, and it's difficult to knock them completely offline. Just three weeks after Microsoft's Trickbot efforts, a new version was released, and experts spotted new infrastructure.