Security researchers at AdvIntel have recently confirmed that the Emotet botnet is currently being used to deliver ransomware payloads, with the operators of the botnet teaming up with the Quantum and BlackCat ransomware operations.
Emotet started life as a banking Trojan and was first detected in 2014. Over the years the malware has received several upgrades to add further capabilities, with the malware-infected devices now serving as a botnet used by the Mummy Spider threat group (TA542). Emotet has been used as the initial access vector used to gain access to devices and then deliver several malicious payloads, including the TrickBot Trojan and ransomware payloads such as Ryuk on behalf of multiple cybercriminal threat groups. Mummy Spider uses Emotet to gain initial access to devices, perform reconnaissance, move laterally, and steal sensitive data, and then other malicious payloads are delivered once the threat group has achieved its initial aims.
Emotet was once the most dangerous and most widely used malware variant in cyberattacks; however, in early 2021, an international law enforcement operation successfully disrupted the Emotet infrastructure. Then followed a period of quiet while the botnet infrastructure was rebuilt, in part using TrickBot to infect devices with Emotet.
The Conti ransomware operation is believed to be behind the resurrection of Emotet, with the developers of the Trickbot Trojan assimilated into the Conti operation. The Conti ransomware-as-a-service operation was dissolved in June 2022, with the group putting its resources into smaller, less-high profile ransomware operations. Since its resurrection, Emotet has exclusively been used by the Conti ransomware operation, but is now being used to deliver Quantum and BlackCat.
According to AdvIntel, Emotet is used to deploy a Cobalt Strike beacon on infected systems as a secondary payload, which allows the threat actors to move laterally within networks. Once the threat actors have achieved their goals and have compromised a sufficient number of servers and endpoints, the ransomware payload is deployed.
While Emotet activity is now at a fraction of what it was at its height just before the law enforcement takedown, the botnet has been growing, with AdvIntel reporting that its researchers have identified more than 1.2 million infected systems worldwide, with this year’s peak activity occurring in late February and throughout March. Infection activity then dropped but there was a resurgence in infection activity in late May, with infections increasing in June and remaining fairly constant since, albeit at a much lower level than the peak in March.
Prior to the resurgence in June, new capabilities were added to Emotet, including a credit card stealer module that steals credit card information stored in Chrome browsers. There was also a switch to 64-bit modules. The methods used to infect devices with Emotet often change, but currently the primary method is phishing campaigns that use Windows shortcut – .LNK – files, rather than Microsoft Office files containing malicious macros which were favored in the past. The change is due to Microsoft disabling macros by default in Office documents and spreadsheets delivered via the Internet.
Emotet still poses a significant threat, although currently at nowhere near the level prior to January 2021, but that could well change. At present, the most widely distributed malware variants in phishing campaigns are Qbot and IcedID