Notorious Emotet malware is making a comeback through Trickbot

Ten months after an international crackdown that put the notorious Emotet malware out of circulation, the malware has surfaced again, said security analysts at Check Point Research (CPR). The analysts found that another malware Trickbot was being used to spread samples of the Emotet malware. 

“Trickbot is facilitating Emotet’s comeback by dropping it on infected victims. This has allowed Emotet to start from a very firm position, and not from scratch. In only two weeks, Emotet emerged as the most popular malware,” Lotem Finkelstein, Head of Threat Intelligence, at Check Point Software said in a statement.  

Widely regarded as the world’s most dangerous malware group, Emotet group used to sublease their infrastructure and software including backdoors in compromised systems to third parties and ransomware gangs.  

In January 2021, international law enforcement agencies Europol and Eurojust took down hundreds of servers controlled by the Emotet malware group. Two people were arrested and all infected systems were redirected to law enforcement-controlled infrastructure. The crackdown was carried out in collaboration with authorities in the Netherlands, Germany, the US, the UK, France, Lithuania, Canada and Ukraine.  

Analysts at CPR found that the systems infected by Trickbot were spreading Emotet samples by asking users to download password-protected zip files carrying malicious documents. The detection of Emotet malware in Trickbot indicates that the malware has not been completely wiped out and they managed to sell some part of their attack infrastructure to other threat actors.  

“Emotet was the strongest botnet in the history of cybercrime with a rich infection base. Now, Emotet has resold its infection base to other threat actors to spread its malware; and most of the time, it’s been to ransomware gangs,” said Finkelstein.  

Finkelstein feels Emotet’s comeback is a major warning sign for yet another surge in ransomware attacks as we go into 2022. “We should treat Emotet and Trickbot infections like they are ransomware. Otherwise, it is only a matter of time before we have to deal with an actual ransomware attack,” he added.  

CPR in its research also found that Trickbot has intensified its attacks in the last year.  

They found that India (5%) saw the third-highest number of Trickbot malware infections in 2021 after Portugal (18%) and the US (14%). A total of 140,000 individuals and organisations across 149 countries were targeted by it. Government/military (18%), finance/banking (11%), manufacturing (9%) and healthcare (7%) were among the sectors that were most targeted.  

The post-pandemic rush to remote work and adoption of digital services expanded the attack surface and has opened organisations to all sorts of risks. India has seen a fair share of these attacks. A CrowdStrike survey, released this week, also shows that India has been the most targeted country by ransomware attacks in 2021.