Emotnet trojan, one of the most infamous malware campaigns, has rekindled and is causing more damage than ever. In January 2021, law enforcement authorities globally had curbed the trojan’s operations by pulverising its C2 infrastructures. What appeared as the end of the trojan story hasn’t turned out that way, and malware has returned with a bang, targeting several systems globally.
- In November 2021, the Emotet trojan reports emerged about the trojan returning to the digital world using TrickBot.
- The rekindled version has become more damaging as it has added functions and modules to target more organisations.
- The Black Lotus Labs’ telemetry reports that approximately 130,000 systems in 179 countries have been affected by the trojan in the last 4 months.
- Security experts point out a time gap between Emoter’s C2 infrastructure restoration and the attacks: a time gap of two months, with the former happening in November
- The researchers cautioned a new trojan version having some minor changes in the tactics.
What’s in the new version?
- The threat intelligence team observed that the new Emotet has a new trait-like elliptic curve cryptography (ECC) scheme for network traffic protection and validation.
- Further, the new version uses a process list module only after the establishment of the connection with the C2
- Increased info-gathering abilities have been observed in the new version
Fortinet’s FortiGuard labs tracked more than 500 Microsoft Excel files that were part of a campaign to plant Emotet in the victims’ devices.
- The Excel file showed a fake yellow warning that lured victims to click on the ‘Enable Content’ button to view the content. Instead, this caused the download of malicious macros that later deployed the trojan.
- The excel used a fake yellow warning as a ruse to let the victims click on the “Enable Content” button to open the content. But upon clicking the button, malicious macros was downloaded that later deployed the trojan.
- Palo Alto Network, in another event, has reported an Emotent trojan phishing attack campaign that uses seized email conversations to target employees.
The strong reboot of the trojan suggests that operators are actively working on improving and redesigning their infrastructure to spread rapidly and effectively. One must be careful while opening emails and have a robust anti-phishing system to scan infected emails.