Emotet. Reincarnation
Emotet. Reincarnation
March 22, 2022, noon

Emotet, the king in the world of botnets, which was considered neutralized as a result of a special operation carried out in January 2021 by the United States, the European Union and Ukraine, has been rapidly restoring its former greatness in cyberspace since November 2021 and is building up an army of infected users' computers around the world.

The specialists of the Check Point company recognized the Emotet botnet as the most active cyber threat of February 2022, which pushed on the pedestal of botnets no less dangerous contenders for the throne - TrickBot and QakBot.

Moreover, reputable companies in the field of cybersecurity claim that it was TrickBot and QakBot operators who directly assisted in the reincarnation of the botnet by providing the services of classic droppers and serving as a vector for the penetration of new Emotet samples into already compromised computers around the world.

Indeed, according to our radars, Emotet's last active efforts to build up infrastructure date back to January 26, 2021, which correlates with the official Europol report on the special operation, published the following day. Apparently, on that day, the early morning some of botnet operators really did not start with coffee.

The small activity of Emotet, which was still observed at the beginning of February, is most likely due to the continued inertia of spam mailing of malicious modules.




However, on November 15, 2021, Emotet, who fell into a coma for more than six months, suddenly begins to have a pulse again. In 4 months, botnet operators, who for some reason escaped the punishing hand of justice, manage to update 70% of the previously used infrastructure and 37% of the arsenal of malicious modules used.




The geography of the malicious infrastructure of Emotet, which has risen from the cyberashes, has undergone insignificant changes. The absolute leadership in the number of servers in the botnet is still maintained by the United States. However, there is a sharp decline in the scale of botnet's infrastructure in China and Brazil, and France and Russia fall into the list of attractive countries, in addition to Germany.

At the same time, the geography of the Emotes infrastructure during the currently observed second wave largely coincides with the geography of the servers as part of TrickBot and QakBot. A coincidence?




The obvious partnership with other cybercriminal groups also explains the significant changes in the delivery methods of Emotet modules, characteristic of the second wave of infections. Botnet operators prefer using DLL libraries and broken PNG images instead of previously actively used Microsoft Word documents with malicious macros. Apparently, now Emotet does not need its own droppers, the use of complex social networks or BEC-attacks, quenching its appetite at the expense of stronger partners.


Wave №1 
Wave №2 


But to store malicious modules and reduce the probability of detection, Emotet, as before, actively uses the file systems of compromised servers with legitimate Wordpress websites, which indicates that botnet operators have an exploit to the popular engine. It is noteworthy that cases of infection of resources in Russian TLD zones are isolated and, rather, are random. Emotet operators clearly avoid using russian websites for storing samples.

At the time of writing the report, unique Emotet samples continued to fall into the field of view of our radars and mercilessly devour bytes of storage allocated for catching cyber threats. We should not expect a decrease in botnet activity in the near future, whose operators have clearly come out of the shadows not just for another portion of the community's attention.