Months after the malware was dismantled by law enforcement, security researcher Luca Ebach sees signs of Emotet usage in the wild. His report indicates that TrickBot is currently being utilized to deploy a new variant of Emotet on systems TrickBot previously compromised.
“On Sunday, November 14, at around 9:26pm UTC we observed on several of our Trickbot trackers that the bot tried to download a DLL to the system. According to internal processing, these DLLs have been identified as Emotet,” said Ebach.
Further analysis helped to confirm with “high confidence” that the detected samples are indeed “a re-incarnation of the infamous Emotet.”
What similarities are there with previous Emotet samples? The heavy use of control-flow flattening for code obfuscation was typical for older Emotet variants, and it is present in this one as well. The researcher provided two arbitrary code snippets to illustrate the similarity in obfuscation style.
“As per the famous duck-typing, we conclude so far: smells like Emotet, looks like Emotet, behaves like Emotet – seems to be Emotet,” the researcher concluded.
EmoCrash: the Emotet Killswitch
In August 2020, security researchers created an exploit and subsequently a killswitch (dubbed EmoCrash) to prevent the Emotet malware from spreading. Emotet has been described as an all-in-one malware which could be programmed by threat actors to either download other malware and steal files, or recruit the compromised systems into the botnet network. Known since at least 2014, the malware has been used in various attacks against both private targets and company and government networks.
New Malware Loaders Also Emerging
In October 2021, security researchers from Cisco Talos discovered a new malware loader, SquirrelWaffle, with the likelihood to replace Emotet. “Organizations should be aware of this threat, as it will likely persist across the threat landscape for the foreseeable future,” the researchers said. Since Emotet operations were disrupted by law enforcement, security researchers have been waiting for a new player to rise.
But now there’s nearly-solid proof that Emotet is making its comeback just in time for Christmas. Will SquirrelWaffle and other new loaders compete with an upgraded Emotet in upcoming phishing campaigns? As a reminder, in 2019, a phishing campaign was detected in the wild, targeting home users with Emotet-laced “Christmas Party” menus.