“At around 21:26 UTC on Sunday, November 14th, we observed on some of our Trickbot trackers that bots attempted to download DLLs onto their systems. Internal processing identified these DLLs as Emotet. Resurrected from the dead. Emotet malware has become the solution of choice for cybercriminals who use their infrastructure to access targeted systems on a global scale. The operators then sold this access to other cybercrime groups to deploy ransomware such as Ryuk, Conti, ProLock and Egregor.
Cybersecurity experts have once again started watching threat actors drop malware to revive the infamous Emotet botnet. This year, in January, European and North American law enforcement agencies joined forces to sabotage and bring down the Emotet botnet. However, several security his vendors and experts have found activity indicating an imminent resurgence of Emotet, including Cryptolaemus, GData, and Advanced Intel.
Order count went from 3-4 to 7. The downloaded binary seems to have different execution options (these are just DLL). The researchers saw no evidence of the Emotet botnet spamming or finding malicious documents dropping malware, but added that it’s just a matter of time.
BleepingComputer reports on the development and, in a clear shift in tactics, the threat actors behind Emotet’s resurgence are now using a method called “Operation Reach Rounds” to replace existing TrickBot reconstructions. It points out that the infrastructure is being used to infiltrate the Emotet botnet. The Emotet research group, Cryptolaemus, began analyzing his new Emotet loader and noticed a change from the past. “So far I can definitely see that the command buffer has changed.