Emotet is back again on the scene and, to be fair, we’re not surprised. Its predictable return has come just ten months after the takedown of its infrastructure, following an internationally coordinated law enforcement operation in January 2021. If you need a refresher on that operation, Digital Shadows (now ReliaQuest) published two analyses a few months ago detailing the impact of Emotet’s takedown on the threat landscape and an explanation of its shutdown.

As stated in those blogs, previous attempts to combat these malicious activities have yielded mixed results. While these malware variants’ operations are often halted for a while, takedown operations don’t usually have permanent effects. Botnets operators are highly versatile and can often recover from these attacks after a short time. 

While the takedown of Emotet was a big win for all but cybercriminals, efforts made to replace it with malware such as BazarCall and IcedID show that cybercriminal outfits are increasingly organized, ambitious and professionalized. In fact, Emotet was central to various criminal operations, including the spread of the QakBot and TrickBot malware to deliver initial access to ransomware operators such as Ryuk and Egregor.

How has Emotet changed since its return?

According to security researchers examining the malware’s return, Emotet is likely rebuilding part of its infrastructure with the help of the TrickBot botnet. As part of these development efforts, Emotet operators are likely stealing email chains to use them during malicious campaigns. As we detailed in our latest blog on Fight the Phish!, cybercriminals are increasingly using email hijacking techniques during their social engineering campaigns. Once in control of a victim’s email account, threat actors can monitor conversations and identify the ideal opportunity to insert a malicious email into an existing thread. As Kim said, “While this is arguably more labor-intensive for a threat actor, it yields higher rewards too.”

The new variant of the infamous malware reportedly follows a similar path of delivering both malicious Office or ZIP files, in addition to other command-and-control (C2) payloads. These are reportedly being distributed via the Trickbot botnet, once again highlighting the close connection between the two malware families. 

The new Emotet infection malspam distribution (source: SANS ISC)
The new Emotet infection malspam distribution (source: SANS ISC)

With this return, Emotet will likely be adopted back into the playbook of several prominent cybercriminals, which will almost certainly include ransomware groups. The removal of Emotet left a vacuum filled with some alternate malware, including Dridex, Qakbot, and IcedID. Many cybercriminal groups may return to Emotet as a tried and tested approach, although these changes will likely be reflected over several months. It will undoubtedly take some time to rebuild Emotet’s infrastructure; however, given its massive reputation in the cybercriminal community makes it a predictable choice for many threat actors looking to expand their operations.

What should security teams be looking out for?

The threat posed by Emotet is significant; however, its return shouldn’t signal a dramatic shift for blue teams. Security teams should follow basic cyber security hygiene practices to ensure adequate protection much in the same way as other malware variants. Email gateways to stop malicious emails from arriving, user awareness of phishing campaigns, and applying restrictions on the use of macros within Office files will assist in lowering the risk posed by most forms of malware. Additionally, monitoring for impersonating domains, enabling multi-factor authentication, and ensuring a smooth phishing reporting process are crucial steps in defending against Emotet.

Emotet threat profile in Digital Shadows SearchLight (now ReliaQuest GreyMatter DRP)
Emotet threat profile in Digital Shadows SearchLight (now ReliaQuest GreyMatter DRP)

If you’d like to monitor how Emotet will develop in the coming weeks and get access to a threat intelligence library of actors relevant to your industry and geography, get a demo request ofSearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection)for free here.