The Return of Emotet Malware

November 16, 2021 - According to researchers from Cryptolaemus, GData, and Advanced Intel, Emotet malware is slowly making a comeback after a major collaboration of Europol with law enforcement and judicial authorities across several countries including Netherlands, Germany, Lithuania, Canada, France, USA, and Ukraine that resulted in the disabling of the infrastructure in January and the subsequent uninstall in April of 2021.


The Emotet malware was considered the most widely spread malware in the past, using spam campaigns and malicious attachments to distribute the malware. The visualization from cybereason provides a brief summary of the tactics, techniques and procedures (TTPs) utilized by the original Emotet malware.

The current modified version uses a method dubbed "Operation Reacharound" to rebuild the Emotet botnet using TrickBot's existing infrastructure. Researchers noted that spamming has been limited likely due to having to rebuild the infrastructure from the ground up. Command buffer has also been enhanced from 3-4 to 7 commands, and the execution is likely to target other binaries not just limited to DLLs as in the original design.


Network administrators are strongly advised by Abuse.ch to block all IP addresses from these newly formed 246 infected devices to prevent their own devices being recruited into the Emotet botnet.