Skip links

Lock up your Office macros: Emotet botnet back from the dead with Trickbot links

The Emotet malware delivery botnet is back, almost a year after law enforcement agencies bragged about shutting it down and arresting the operators.

The SANS Institute’s Internet Storm Centre (ISC) was one of many organisations to confirm overnight that the spam-based malware delivery network was back online following police raids in January 2021 targeting its command and control infrastructure.

Detailing emails the ISC had seen circulating in the wild with malicious Word, Excel, and .zip archive files attached, the org’s Brad Duncan blogged: “These emails were all spoofed replies that used data from stolen email chains, presumably gathered from previously infected Windows hosts.”

The revival of Emotet is serious because in its final form the Windows malware network was increasingly being used to deliver ransomware, as well as the traditional online banking credential-stealing code it was previously best known for. Typically spam emails sent by Emotet contain a document in a common file format with embedded macros.

The messages involve references to current news events, fake invoices, or memos from corporate superiors, and suchlike, to deceive users into opening the attached file and running the macros, which drop the Emotet malware itself onto the host computer. In the past Emotet has been seen delivering ransomware from well-known criminal gangs such as Conti, Ryuk, and more.

In April, German police took the mildly controversial step of cleansing other people’s infected machines of Emotet, something UK authorities explicitly stopped short of doing.

Malware command-and-control (C2) tracking site Abuse.ch listed a variety of live Emotet C2 servers at the time of writing, painting a very different picture to the one seen immediately after January’s takedown raids.

Callum Roxan, F-Secure’s head of threat intelligence, linked Emotet’s Lazarus-style rise from the grave to TrickBot, a superficially similar banking trojan (an alleged developer of which was arrested in South Korea earlier this year).

“Emotet’s re-emergence is a notable event due to the prevalence of this malware family historically. There are indications that Emotet was initially being deployed by TrickBot and has since started sending out phishing emails as well,” said Roxan.

Meanwhile, Dr Süleyman Özarslan, co-founder of red-teaming firm Picus Security, compared it to “seeing the ghost of Christmas Past,” and opined that Emotet might be gearing up to take advantage of the imminent holiday season.

“Phishing has always been the primary method used to distribute Emotet and in 2018 festive emails were used as a lure to trick victim’s into successfully downloading malicious Word documents disguised as Christmas cards,” said Dr Özarslan.

An early technical analysis of the latest Emotet payloads (complete with IOCs) was published in the small hours of Monday by Germany-based infosec firm G DATA, which observed that a recent sample is now using HTTPS with a self-signed certificate to encrypt its C2 traffic. The original Emotet ran over unencrypted HTTP.

“As per the famous duck-typing, we conclude so far: smells like Emotet, looks like Emotet, behaves like Emotet – seems to be Emotet,” concluded the firm.

As for what to do about its return? Digital Shadows threat intelligence analyst Stefano de Blasi blogged: “Security teams should follow basic cyber security hygiene practices to ensure adequate protection much in the same way as other malware variants.”

While an Emotet infection is no laughing matter, preventing one is just a matter of doing the basics right. Disabling auto-running of macros in Microsoft Office files won’t hurt either. ®

Source