DecryptedTech

Friday12 August 2022

Emotet’s Comeback Shows no Sign of Slowing as Bot Number Exceeds 100,000


Reading time is around minutes.

Emotet, (not to be confused with Imhotep the ancient Egyptian Polymath) was originally identified in 2014 and quickly became one of the top threats of the decade. After an early start as a banking trojan, the group amassed a huge number of bots that it was able to leverage to execute attacks on targets. This bot infrastructure was then sold as a service to other groups as part of a malware-as-a-Service model. The prevalence and reach of Emotet was enough that in early 2021 the global law enforcement and cyber security community targeted Emotet’s infrastructure and people that had been identified as part of the group. It was a significant hit to the organization.

Nature abhors a vacuum, and it was only time before something came along to fill the void left by the disruption of the Emotet network. Well, it seems that thing is Emotet all over again and it did not take all that long for the group to get things going again. In November 2021, researchers identified code that belonged to the group, but with some internal changes and a new delivery method. Notably the group started using Trickbot and a shift in the way traffic is encrypted. The events have caused some researchers to speculate that the rebirth of Emotet is part of Conti’s new method.

Conti is known to have picked up more than a few of Trickbot’s group and may have shuttered the original Trickbot infrastructure to prevent having it dismantled the same way that the original Emotet was. The shift in tactics after building foothold in the world makes sense from a tactical and strategic perspective and the rapid way they have established this foothold is impressive. Despite it being only about 10% of their former glory they have built up a network of 150k plus bots in about three months.

In looking over the geographic layout of bots, it appears that there were some strategic decisions made for their renewed assault. The group appears to have targeted areas that historically use poor security or outdated/vulnerable operating systems and software. We would not be surprised to see Emotet reach its former glory (1.5 million+ Bots) in a relatively short time. They have shown themselves to be a resourceful and clever group and there is little doubt that they will continue to flourish.

Organizations should ensure that they maintain good patching policies, control the use of Marcos and internal scripting engine pivots as well as utilize behavior based EDR/Anti-Malware solutions to reduce the risks of compromise.

 

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.