Following a coordinated takedown by law enforcement agencies in January 2021, new variants of the Emotet malware have now been spotted again for the first time - as a recent analysis by G DATA shows. Emotet has been an all-purpose cybercrime weapon for years.
Emotet is considered one of the most dangerous malware families because it is used as a bridgehead for cyberattacks on companies of all sizes. In the past, the initial infection with the malware was often followed by an extortion attempt against the affected company using an encryption Trojan.
The internationally coordinated takedown of Emotet has been effective for many months and has saved many victims from harm. We congratulate all the authorities involved for this. Nevertheless, our current analyses show that Emotet has now returned - as shown by manual analysis of current malware samples.
The new Emotet sample stands out due to several technical similarities to the original malware. A comparison of the source code shows similar structures. However, there are also differences: Unlike the previously known Emotet variants, network traffic is still encrypted, but the new variant uses HTTPS with a self-signed certificate.
So far, no significant spam activities have been noticed in connection with Emotet. According to current findings, Emotet uses the infrastructure of the Trickbot malware, and its own botnet was apparently permanently destroyed during the takedown. G DATA customers are protected against the new Emotet variants.
UPDATE: The first spam activities have started - currently Emotet is distributed in *.docm and *.xlsm as well as password-protected ZIP attachments.
A detailed blog post with technical details as well as Indicators of Compromise can be found on the blog of our subsidiary G DATA Advanced Analytics: Guess who’s back – cyber.wtf