Dismantled at the beginning of 2021 by a large law enforcement operation, Emotet is back with a new version... Even more dangerous?
In the opinion of many computer security experts, the Emotet malware was the most serious threat since its first appearance in 2014, until its dismantling announced on January 27 by Europol. The police forces decided to act after the malware's activity increased in the fall of 2020 and managed to not only stop its progression, but also to make it go down. A deceptive success.
This is our 3rd anniversary of Cryptolaemus1. Thanks for all the follows and sharing of intel these past 3 years! To celebrate, Ivan has released a new version of Emotet because he feels left out and wants to be part of the party. More details coming soon. As always watch URLHaus pic.twitter.com/Qwvel32ibB
- Cryptolaemus (@Cryptolaemus1) November 15, 2021
Indeed, for the past few weeks, several specialists have pointed out a resurgence of activity of the malware. The Cryptolaemus group of researchers gave the alert via Twitter on November 15 by mentioning a new version of Emotet. Cryptolaemus specifies that this new version is "carried" by another well-known malware, Trickbot. This information is confirmed by other security experts such as GData and Advanced Intel, who provide some details.
GData and Advanced Intel believe that this "new Emotet" is more efficient than its predecessor. In particular, it uses the HTTPS encryption system to encrypt the traffic between the malware's control servers and the newly infected machines. In the past, it was only possible to use the simple HTTP protocol. Crytpolaemus also states that the command buffer is more complex than in the previous version of the malware: " We can now confirm that the command buffer has been modified. It now contains 7 commands as opposed to 3-4 on previous versions ".
Fresh, active Emotet botnet C2 servers are now being pushed to Feodo Tracker??️
We urge you to *BLOCK* these C2 servers and regularly update your block list to receive the maximum protection!
? https://t.co/if21bBHTpo pic.twitter.com/sdySouHxxb
- abuse.ch (@abuse_ch) November 15, 2021
According to Cryptolaemus, the first waves of infection date back to September 2021 and the researchers explain that they have observed large waves of suspicious emails. Remember that infected attachments or corrupted HTTP links remain the preferred means of spreading the malware. Once again, to avoid contagion, the safest way is not to trust the attachments of the emails you receive and to look carefully at the nature of a link before clicking on it. It is advisable to be even more cautious with the "new Emotet" that seems to have already infected many machines: researchers mention more than 246 machines acting as control servers for many other infected ones.
