Emotet is back. Here's what we know.

This marks the first time we observed Emotet malware activity after a takedown was announced in January.

Nov 16, 2021

Months after law enforcement agencies took down the notorious Emotet botnet, Intel 471 observed the Trickbot banking trojan downloading and executing possible updated Emotet binaries. This marks the first time we observed Emotet malware activity after the takedown was announced in January.

Bots associated with Trickbot, tagged several different gtags (lip125, fat2, top118 and others), received a download-and-execute command.

The distribution URL was:

 hxxp://141.94.176.124/Loader_90563_1.dll
 

The sample hash:

c7574aac7583a5bdc446f813b8e347a768a9f4af858404371eae82ad2d136a01


Embedded Emotet C2 addresses:

  • hxxp://103.8.26.102:8080
  • hxxp://94.177.248.64:443
  • hxxp://207.38.84.195:8080
  • hxxp://185.184.25.237:8080
  • hxxp://212.237.5.209:443
  • hxxp://138.185.72.26:8080
  • hxxp://81.0.236.93:443
  • hxxp://58.227.42.236:80
  • hxxp://178.79.147.66:8080
  • hxxp://66.42.55.5:7080
  • hxxp://103.8.26.103:8080
  • hxxp://51.68.175.8:8080
  • hxxp://104.251.214.46:8080
  • hxxp://195.154.133.20:443
  • hxxp://188.93.125.116:8080
  • hxxp://45.118.135.203:7080
  • hxxp://103.75.201.2:443
  • hxxp://45.142.114.231:8080
  • hxxp://45.76.176.10:8080
  • hxxp://210.57.217.132:8080


Our analysis is ongoing, but differences we've discovered so far between this new Emotet sample and the older version are mostly around the communication protocol. New Emotet uses elliptic-curve cryptography (ECC) where the older Emotet favored RSA.

We said back in January that “time will tell if the takedown will have a long-term impact on Emotet operations. The groups who run these botnets are sophisticated and resilient, and will most likely have some sort of inherent recovery in place.” While that recovery took months, the resiliency displayed here shows that the cat-and-mouse game with Emotet’s developers will continue into 2022.

We can’t definitively say if Emotet is back for real or if this is some sort of test, but this shows that the actors that control Emotet’s source code are not done with it yet.

Intel 471 is performing an in-depth analysis of the collected sample and will provide an update when additional information is obtained.