The newer cybercrime triad: TrickBot-Emotet-Conti

Advanced Intelligence researchers argue that the restarting of the Emotet botnet was driven by Conti ransomware gang.

Early this year, law enforcement and judicial authorities worldwide conducted a joint operation, named Operation Ladybird, which disrupted the EMOTET botnet. At the time the investigators have taken control of its infrastructure in an international coordinated action. 

This operation was the result of a joint effort between authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust.

The law enforcement agency was able to take over at least 700 servers used as part of the Emotet botnet’s infrastructure. The FBI collected millions of email addresses used by Emotet operators in their malware campaigns as part of the cleanup operation.

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542. The infamous banking trojan was also used to deliver other malicious code, such as Trickbot and QBot trojans, or ransomware such as Conti, ProLock, Ryuk, and Egregor.

Last week researchers from multiple cybersecurity firms ([Cryptolaemus], [GData], and [Advanced Intel]) reported that threat actors are using the TrickBot malware to drop an Emoted loader on infected devices. The experts tracked the campaign aimed at rebuilding the Emotet botnet using TrickBot’s infrastructure as Operation Reacharound.

Researchers from AdvIntel believe that the return will have a significant impact on the ransomware operations in the threat landscape, likely “the largest threat ecosystem shift in 2021” and beyond due to three reasons:

1. Emotet’s unmatched continuous loader capabilities
2. The correlation between these capabilities and the demanded of the contemporary cybercrime market
3. The return of the TrickBot-Emotet-Ransomware triad resulted from the first two points.

The Emotet botnet was resurrected by its former operator, who was convinced by the Conti ransomware gang. The shutdown of the Emotet operation resulted in the lack of high-quality initial access brokers.

Qbot and TrickBot used Emotet’s service to deploy multiple ransomware strains, including Conti, DoppelPaymer, Egregor, ProLock, Ryuk, and others).

“Most likely because no other groups were able to replicate such capabilities, after leaving cyberspace in January 2021, Emotet left a vacuum that was not filled even with MASSLOADER, also known as Hancitor. Other botnets like QBot attempted to step in but largely failed as a persistent and continuous loader system.” states the report published by AdvIntel. “This created a major interruption within the ransomware supply chains. After the takedown of Emotet, the demand for an efficient source of high-quality access and advanced dissemination was not matched with a proper supply.”

The vacuum left by Emotet shutdown urged the EMOTET resurgence important, for this reason its return will have a major impact on the threat landscape. The researchers believe that one reason that contributed to multiple ransomware-as-a-service (RaaS) operations shutting down this year (Babuk, DarkSide, BlackMatter, REvil, Avaddon) was that affiliates used low-level access sellers and brokers (RDP, vulnerable VPN, poor quality spam).

With RaaSes disappearing, traditional groups like Ryuk (Conti), TA505, and EvilCorp regained a pivotal role in the threat landscape attracting talented malware specialists searching for a stable and ordered operational environment.

In this scenario, the alliance between the Conti group, Trickbot gang, and Emotet’s operators could push up the ransomware operations. The Conti operations will leverage Emotet to deliver their payload to high-value targets.

“Emotet’s return is not coincidental, it is caused by major shifts in the overall cybercrime domain. The growing monopolization of the ransomware world, which is rapidly conquered by only a few highly-organized criminal corporations, leads to better opportunities for criminal ventures like the Emotet botnet developers.” concludes the analysis. “Larger organized crime groups have higher profits working together in a liaison. This has been proven by the alliance of TrickBot, Emotet, and Ryuk: the three major players of the pre-2019 cybercrime hierarchy. In late 2021, as the smaller actors are losing their impact and power, while larger ones are becoming even bigger, the new criminal alliance between TrickBot, Emotet, and Conti, is a logical avenue for criminals.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Emotet)

[adrotate banner=”5″]

[adrotate banner=”13″]