You’ve probably seem the breathless media headlines everywhere: “Emotet’s back!”
One cybersecurity article we saw – and we knew what it was about right away – didn’t even give a name, announcing simply, “Guess who’s back?”
As you almost certainly know, and may sadly have experienced first hand, Emotet is a blanket term that typically refers both to a family of “command-and-control” malware and the gang who are its commanders-and-controllers.
The idea is simple: instead of building a single-purpose malware program for each attack, and unleashing it on its own, why not spearhead the attack with a general purpose malware agent that calls home to report its arrival, and awaits further instructions?
In popular terminology, that sort of malware is often referred to as a zombie or bot, short for software robot, and a collection of bots with the same command-and-control servers (known as C&C or C2 servers in the jargon), under the same botmasters, is known as a botnet.
Emotet, however, was not just a bot – to many sysadmins and threat responders, it was the bot, run by a notoriously resilient and determined criminal gang who operated their botnet as a disturbingly effective content delivery network for cybercrime.
A common Emotet attack chain typically ran in multiple stages, something like this:
Back in February 2021:
The [Emotet crew] typically use the zombies under their control as a sort of content delivery network for other cybercriminals, offering what amounts to a pay-to-play service for malware distribution.
The Emotet gang does the tricky work of building booby-trapped documents or web links, picking enticing email themes based on hot topics of the day, and tricking victims into infecting themselves…
…and then sells on access to infected computers to other cybercriminals so that those crooks don’t have to do any of the initial legwork themselves.
That quote, notably, comes from an article entitled Emotet take”down – Europol attacks “world’s most dangerous malware”
All quiet on the Emotet front
Since then, the Emotet ecosystem, if we may use that word to describe it, has been essentially off the radar, silent, and invisible.
But as we mentioned in February 2021, the same gang went quiet in February 2020, only to reappear suddenly in July of that year.
And, according to current reports, something similar has happened again, with researchers around the world noting a return of “Emotet-like” activity, and announcing, as Mark Twain famously did after reading in the newspapers that he had passed away, that the report of its death was an exaggeration.
We’ve always been happy to report on malware takedowns, cybercrime busts and other disruptions that have removed or reduced cybercriminality, but we’ve also always advised against relaxing too much when that sort of report appears.
Here’s our advice, whether this Emotet “revival” is the same criminals who’ve returned from takedown to active duty or new recruits; whether it’s the old malware code or a re-written variant; whether the new botnet has the same goals or yet more aggressive ones:
If you need any help with your IT security or suspect your system is compromised, don’t hesitate to contact us at JohnCruzIT.