Months after law enforcement agencies took down the notorious Emotet botnet, Intel 471 observed the Trickbot banking trojan downloading and executing possible updated Emotet binaries. This marks the first time we observed Emotet malware activity after the takedown was announced in January.
Bots associated with Trickbot, tagged several different gtags (lip125, fat2, top118 and others), received a download-and-execute command.
The distribution URL was:
The sample hash:
Embedded Emotet C2 addresses:
Our analysis is ongoing, but differences we've discovered so far between this new Emotet sample and the older version are mostly around the communication protocol. New Emotet uses elliptic-curve cryptography (ECC) where the older Emotet favored RSA.
We said back in January that “time will tell if the takedown will have a long-term impact on Emotet operations. The groups who run these botnets are sophisticated and resilient, and will most likely have some sort of inherent recovery in place.” While that recovery took months, the resiliency displayed here shows that the cat-and-mouse game with Emotet’s developers will continue into 2022.
We can’t definitively say if Emotet is back for real or if this is some sort of test, but this shows that the actors that control Emotet’s source code are not done with it yet.
Intel 471 is performing an in-depth analysis of the collected sample and will provide an update when additional information is obtained.