New Emotet botnet is rapidly growing, with +130K unique bots spread across 179 countries

A few months after its return the Emotet botnet has already infected over 130,000 unique bots spread across 179 countries.

The Emotet botnet continues to grow and has infected approximately 130,000 hosts since its resurrection in November 2021.

Early 2021, law enforcement and judicial authorities worldwide conducted a joint operation, named Operation Ladybird, which disrupted the EMOTET botnet. At the time the investigators have taken control of its infrastructure in an international coordinated action. 

This operation was the result of a joint effort between authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust.

The law enforcement agencies were able to take over at least 700 servers used as part of the Emotet botnet’s infrastructure. The FBI collected millions of email addresses used by Emotet operators in their malware campaigns as part of the cleanup operation.

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542. The infamous banking trojan was also used to deliver other malicious code, such as Trickbot and QBot trojans, or ransomware such as Conti, ProLock, Ryuk, and Egregor.

In November 2021 researchers from multiple cybersecurity firms ([Cryptolaemus], [GData], and [Advanced Intel]) reported that threat actors were using the TrickBot malware to drop an Emoted loader on infected devices. The experts tracked the campaign aimed at rebuilding the Emotet botnet using TrickBot’s infrastructure as Operation Reacharound.

Since its report Emotet operators have amassed an impressive number of infected systems, researchers from Lumen’s Black Lotus Labs reported.

Researchers pointed out that the new Emotet botnet supports new features to avoid detection and analysis, such as the use encryption for network traffic and the separation of the process list into its own module.

The new version uses elliptic curve cryptography (ECC), with a public key to perform the encryption and a separate algorithm that is used to perform data validation.

The new version is also able to gather additional information about the infected host. Experts also reported significant growth of the C2 pool late February through March 4.

“While Black Lotus Labs tracked more than 300 unique Emotet C2s in May of 2019, the number of unique C2s in the roughly four months since the resurgence is roughly 200. As Figure 2 reflects, when Emotet came back online in November 2021, it did so with a smaller, but relatively consistent pool of Tier 1 C2s.” reads the report published by the experts. “Over the last few months, the C2 pool has continued to grow to an average of 77 unique Tier 1 C2s per day from late February through March 4.”

One of the most important features in the new Emotet infrastructure is the apparent absence of Bot C2s, which are bots that would receive a UPnP module that enabled an infected device to act as a C2 by opening a port on the user’s router that would then allow it to proxy traffic from Emotet bots to a higher-tier C2.

Most of the Emotet C2s are located in the United States and Germany, the rest of the list of top 10 countries by volume of C2s includes France, Brazil, Thailand, Singapore, Indonesia, Canda, United Kingdom and India.

“The growth and distribution of bots is an important indicator of Emotet’s progress in restoring its once sprawling infrastructure. Each bot is a potential foothold to a coveted network and presents an opportunity to deploy Cobalt Strike or eventually be promoted to a Bot C2.” Black Lotus Labs concludes.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Emotet)

[adrotate banner=”5″]

[adrotate banner=”13″]