Emotet is back. Here's what we know.

Months after law enforcement agencies took down the notorious Emotet botnet, Intel 471 observed the Trickbot banking trojan downloading and executing possible updated Emotet binaries. This marks the first time we observed Emotet malware activity after the takedown was announced in January.

Bots associated with Trickbot, tagged several different gtags (lip125, fat2, top118 and others), received a download-and-execute command.

The distribution URL was:

 hxxp://141.94.176.124/Loader_90563_1.dll
 

The sample hash:

c7574aac7583a5bdc446f813b8e347a768a9f4af858404371eae82ad2d136a01

Embedded Emotet C2 addresses:

  • hxxp://103.8.26.102:8080
  • hxxp://94.177.248.64:443
  • hxxp://207.38.84.195:8080
  • hxxp://185.184.25.237:8080
  • hxxp://212.237.5.209:443
  • hxxp://138.185.72.26:8080
  • hxxp://81.0.236.93:443
  • hxxp://58.227.42.236:80
  • hxxp://178.79.147.66:8080
  • hxxp://66.42.55.5:7080
  • hxxp://103.8.26.103:8080
  • hxxp://51.68.175.8:8080
  • hxxp://104.251.214.46:8080
  • hxxp://195.154.133.20:443
  • hxxp://188.93.125.116:8080
  • hxxp://45.118.135.203:7080
  • hxxp://103.75.201.2:443
  • hxxp://45.142.114.231:8080
  • hxxp://45.76.176.10:8080
  • hxxp://210.57.217.132:8080

Our analysis is ongoing, but differences we’ve discovered so far between this new Emotet sample and the older version are mostly around the communication protocol. New Emotet uses elliptic-curve cryptography (ECC) where the older Emotet favored RSA.

We said back in January that “time will tell if the takedown will have a long-term impact on Emotet operations. The groups who run these botnets are sophisticated and resilient, and will most likely have some sort of inherent recovery in place.” While that recovery took months, the resiliency displayed here shows that the cat-and-mouse game with Emotet’s developers will continue into 2022.

We can’t definitively say if Emotet is back for real or if this is some sort of test, but this shows that the actors that control Emotet’s source code are not done with it yet.

Intel 471 is performing an in-depth analysis of the collected sample and will provide an update when additional information is obtained.

Ten articles before and after

How the new Emotet differs from previous versions

A reset on ransomware: Dominant variants differ from…

Here’s how the cybercriminal underground has reacted…

Introducing uCrop, Our Own Image Cropping Library for Android

How We Created uCrop, Our Own Image Cropping Library for Android

How cryptomixers allow cybercriminals to clean their…

Cybercrime underground flush with shipping companies’…

Cybercriminals cash in on black market vaccine schemes

The public sector is a juicy target for cybercriminals

Cybercriminals going after one-time passwords with…