Operation Reacharound – Emotet malware is back

The Emotet botnet is still active, ten months after an international operation coordinated by Europol shut down its infrastructure.

Early this year, law enforcement and judicial authorities worldwide conducted a joint operation, named Operation Ladybird, which disrupted the EMOTET botnet. At the time the investigators have taken control of its infrastructure in an international coordinated action. 

This operation was the result of a joint effort between authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust.

The law enforcement agency was able to take over at least 700 servers used as part of the Emotet botnet’s infrastructure. The FBI collected millions of email addresses used by Emotet operators in their malware campaigns as part of the cleanup operation.

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542. The infamous banking trojan was also used to deliver other malicious code, such as Trickbot and QBot trojans, or ransomware such as Conti, ProLock, Ryuk, and Egregor.

Now researchers from multiple cybersecurity firms ([Cryptolaemus], [GData], and [Advanced Intel]) reported that threat actors are using the TrickBot malware to drop an Emoted loader on infected devices. The experts tracked the campaign aimed at rebuilding the Emotet botnet using TrickBot’s infrastructure as Operation Reacharound.

“On Sunday, November 14, at around 9:26pm UTC we observed on several of our Trickbot trackers that the bot tried to download a DLL to the system. According to internal processing, these DLLs have been identified as Emotet.” reported GData.

Malware tracking non-profit organization Abuse.ch shared a list of C2 servers utilized by the new Emotet botnet.

“If Emotet is truly coming back ‘online’, and it appears that it is, they will likely bring with them a bag of new tricks ready to throw at us.” warn Cofense Labs.

At this time, experts have yet to report the use of the Emotet botnet to carry out the spamming campaign.

Network administrators are recommended to IP addresses associated to this campaign to prevent infections with the reformed Emotet bot.

“We urge you to *BLOCK* these command and control servers and regularly update your block list to receive the maximum protection,” wrote Abuse.ch

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Emotet botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]