Nature abhors a vacuum, and it was only time before something came along to fill the void left by the disruption of the Emotet network. Well, it seems that thing is Emotet all over again and it did not take all that long for the group to get things going again. In November 2021, researchers identified code that belonged to the group, but with some internal changes and a new delivery method. Notably the group started using Trickbot and a shift in the way traffic is encrypted. The events have caused some researchers to speculate that the rebirth of Emotet is part of Conti’s new method.
Conti is known to have picked up more than a few of Trickbot’s group and may have shuttered the original Trickbot infrastructure to prevent having it dismantled the same way that the original Emotet was. The shift in tactics after building foothold in the world makes sense from a tactical and strategic perspective and the rapid way they have established this foothold is impressive. Despite it being only about 10% of their former glory they have built up a network of 150k plus bots in about three months.
In looking over the geographic layout of bots, it appears that there were some strategic decisions made for their renewed assault. The group appears to have targeted areas that historically use poor security or outdated/vulnerable operating systems and software. We would not be surprised to see Emotet reach its former glory (1.5 million+ Bots) in a relatively short time. They have shown themselves to be a resourceful and clever group and there is little doubt that they will continue to flourish.
Organizations should ensure that they maintain good patching policies, control the use of Marcos and internal scripting engine pivots as well as utilize behavior based EDR/Anti-Malware solutions to reduce the risks of compromise.