threatpost.com
Open in
urlscan Pro
35.173.160.135
Public Scan
URL:
https://threatpost.com/emotet-resurfaces-trickbot/176362/
Submission: On January 03 via api from US — Scanned from DE
Submission: On January 03 via api from US — Scanned from DE
Form analysis 4 forms found in the DOM
POST /emotet-resurfaces-trickbot/176362/#gf_5
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_5" id="gform_5" action="/emotet-resurfaces-trickbot/176362/#gf_5">
<div class="gform_body">
<ul id="gform_fields_5" class="gform_fields top_label form_sublabel_below description_below">
<li id="field_5_8" class="gfield field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_8"></label>
<div class="ginput_container ginput_container_text"><input name="input_8" id="input_5_8" type="text" value="" class="medium" placeholder="Your name" aria-invalid="false"></div>
</li>
<li id="field_5_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_1"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_email">
<input name="input_1" id="input_5_1" type="text" value="" class="medium" placeholder="Your e-mail address" aria-required="true" aria-invalid="false">
</div>
</li>
<li id="field_5_9" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden"><input name="input_9" id="input_5_9" type="hidden" class="gform_hidden"
aria-invalid="false" value=""></li>
<li id="field_5_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_2">
<li class="gchoice_5_2_1">
<input name="input_2.1" type="checkbox" value="I agree" id="choice_5_2_1">
<label for="choice_5_2_1" id="label_5_2_1">I agree to my personal data being stored and used to receive the newsletter</label>
</li>
</ul>
</div>
</li>
<li id="field_5_5" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_5">
<li class="gchoice_5_5_1">
<input name="input_5.1" type="checkbox" value="I agree" id="choice_5_5_1">
<label for="choice_5_5_1" id="label_5_5_1">I agree to accept information and occasional commercial offers from Threatpost partners</label>
</li>
</ul>
</div>
</li>
<li id="field_5_10" class="gfield gform_validation_container field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_10">Comments</label>
<div class="ginput_container"><input name="input_10" id="input_5_10" type="text" value=""></div>
<div class="gfield_description" id="gfield_description__10">This field is for validation purposes and should be left unchanged.</div>
</li>
</ul>
</div>
<div class="gform_footer top_label"> <input type="submit" id="gform_submit_button_5" class="gform_button button" value="Subscribe" onclick="if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; "
onkeypress="if( event.keyCode == 13 ){ if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; jQuery("#gform_5").trigger("submit",[true]); }" style="display: none;"> <input
type="hidden" name="gform_ajax" value="form_id=5&title=&description=&tabindex=0">
<input type="hidden" class="gform_hidden" name="is_submit_5" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="5">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_5" value="WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_5" id="gform_target_page_number_5" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_5" id="gform_source_page_number_5" value="1">
<input type="hidden" name="gform_field_values" value="">
</div>
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>POST https://threatpost.com/wp-comments-post.php
<form action="https://threatpost.com/wp-comments-post.php" method="post" id="commentform" class="comment-form">
<div class="o-row">
<div class="o-col-12@md">
<div class="c-form-element"><textarea id="comment" name="comment" cols="45" rows="8" aria-required="true" placeholder="Write a reply..."></textarea></div>
</div>
</div>
<div class="o-row">
<div class="o-col-6@md">
<div class="c-form-element"><input id="author" name="author" placeholder="Your name" type="text" value="" size="30"></div>
</div>
<div class="o-col-6@md">
<div class="c-form-element"><input id="email" name="email" placeholder="Your email" type="text" value="" size="30"></div>
</div>
</div>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="c-button c-button--primary" value="Send Comment"> <input type="hidden" name="comment_post_ID" value="176362" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="1886db27eb"></p><!-- the following input field has been added by the Honeypot Comments plugin to thwart spambots -->
<input type="hidden" id="7OtUonO6WOXuvhY1LYyND0KIr" name="9VfOotTaqevMjKw19yb7maZcq">
<script type="text/javascript">
document.addEventListener("input", function(event) {
if (!event.target.closest("#comment")) return;
var captchaContainer = null;
captchaContainer = grecaptcha.render("recaptcha-submit-btn-area", {
"sitekey": "6LfsdrAaAAAAAMVKgei6k0EaDBTgmKv6ZQrG7aEs",
"theme": "standard"
});
});
</script>
<script src="https://www.google.com/recaptcha/api.js?hl=en&render=explicit" async="" defer=""></script>
<div id="recaptcha-submit-btn-area"> </div>
<noscript>
<style type="text/css">
#form-submit-save {
display: none;
}
</style>
<input name="submit" type="submit" id="submit-alt" tabindex="6" value="Submit Comment">
</noscript><textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100" style="display: none !important;"></textarea><input type="hidden" id="ak_js" name="ak_js" value="1641252099825">
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>Text Content
Newsletter
SUBSCRIBE TO OUR THREATPOST TODAY NEWSLETTER
Join thousands of people who receive the latest breaking cybersecurity news
every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
*
* *
*
* *
* I agree to my personal data being stored and used to receive the
newsletter
* *
* I agree to accept information and occasional commercial offers from
Threatpost partners
* Comments
This field is for validation purposes and should be left unchanged.
This iframe contains the logic required to handle Ajax powered Gravity Forms.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
Threatpost
* Cloud Security
* Malware
* Vulnerabilities
* InfoSec Insiders
* Webinars
*
*
*
*
*
*
*
Search
* The Best Ransomware Response, According to the Data Previous article
* MosesStaff Locks Up Targets, with No Ransom Demand, No DecryptionNext article
EMOTET RESURFACES ON THE BACK OF TRICKBOT AFTER NEARLY A YEAR
Author: Elizabeth Montalbano
November 16, 2021 8:57 am
4 minute read
Write a comment
Share this article:
*
*
Researchers observed what looks like the Emotet botnet – the “world’s most
dangerous malware” – reborn and distributed by the trojan it used to deliver.
Emotet, one of the most prolific and disruptive botnet malware-delivery systems,
appears to be making a comeback after nearly a year of inactivity, researchers
have found.
A team of researchers from Cryptolaemus, G DATA and AdvIntel recently observed
the TrickBot trojan launching what appears to be a new loader for the notorious
malware, they said separately on Twitter and in a blog post.
“We have reason to assume with high confidence that #Emotet is active again and
currently distributed via #Trickbot,” G DATA Advanced Analytics posted on its
Twitter feed.
Register now for our LIVE event!
“2021-11-14: The ‘#Emotet partner ($) loader’ program appears resorcing [SIC]
from existing #TrickBot infections,” AdvIntel CEO Vitali Kremez also confirmed
via Twitter. “TrickBot launched what appears to be the newer Emotet loader.”
A blog post from researchers at G DATA has the most detailed information about
what went down. It explains that on Sunday at around 9:26 UTC, researchers
observed on several TrickBot trackers an attempt to download a DLL to the
system, G DATA’s Luca Ebach wrote.
“According to internal processing, these DLLs have been identified as Emotet,”
he wrote.
Because Emotet was largely dismantled earlier this year by an international
law-enforcement effort, researchers said they were “suspicious about the
findings” and conducted further verification of the activity. After doing so,
they said with “high confidence” that “the samples indeed seem to be a
re-incarnation of the infamous Emotet” but will be conducting further analysis,
Ebach wrote.
EVOLUTION OF A CYBERTHREAT
Emotet started life as a banking trojan in 2014 and has continually evolved to
become a full-service threat-delivery mechanism. It can install a collection of
malware on victim machines, including information stealers, email harvesters,
self-propagation mechanisms and ransomware, the last of which is at a record
high in terms of volume and currently the cyber threat most worrying
international law enforcement.
Emotet was last seen in volume hitting 100,000 target mailboxes a day to deliver
TrickBot, Qakbot and Zloader in December 2020 ahead of the Christmas holidays.
Before that in October it targeted volunteers for the Democratic National
Committee (DNC); previously, it became active in July of that year after a
five-month hiatus, dropping the TrickBot trojan.
Emotet appeared to be put out of commission by an international law-enforcement
collaborative takedown of a network of hundreds of botnet servers supporting the
system in January 2021. The effort eliminated active infections on more than 1
million endpoints worldwide, they said.
Now it appears to have resurfaced using familiar partner-in-crime TrickBot, with
the two having a history of working together. Often, it was Emotet using its
vast network to deliver TrickBot as a payload in targeted email phishing
campaigns, though TrickBot also in the past has delivered Emotet samples – which
appears to be the case once more.
Researchers detailed the similarities between previous samples of Emotet and the
one they observed being dropped by TrickBot on Sunday. One hallmark is that the
network traffic originating from the sample closely resembles what has been
observed as Emotet behavior previously, as described by Kaspersky Labs, Ebach
wrote.
“The URL contains a random resource path and the bot transfers the request
payload in a cookie,” he wrote. “However, the encryption used to hide the data
seems different from what has been observed in the past. Additionally, the
sample now uses HTTPS with a self-signed server certificate to secure the
network traffic.”
Another “notable characteristic” of Emotet was “the heavy use of control-flow
flattening to obfuscate the code,” Ebach noted. The current sample also contains
flattened control flows, he said.
PHISHING ONSLAUGHT AHEAD?
The news is already sending shivers down the spines of security professionals,
who, unsurprised by Emotet’s resurfacing, are well familiar with the disruption
it can wreak when it’s at its full power.
“Emotet was once the ‘world’s most dangerous malware,'” noted James Shank,
senior security evangelist and chief architect of community service at security
firm Team Cymru, in an email to Threatpost. However, it will be a while before
its latest version will be capable of a similar level of havoc-wreaking, he
added.
Shank said it’s too soon to tell from the sample disclosed by researchers what
this new version of Emotet will look like, though there does appear to be code
overlap between the old version and the latest. “Old signatures written to
detect the first version of Emotet also detect this variant, in some cases,” he
said.
Fortunately, as the botnet will need some time to gain strength, organizations
still have some breathing room to shore up defenses, noted another security
professional.
“It will take some time to build up to its previous size,” Eric Kron, security
awareness advocate at security firm KnowBe4, wrote in an email to Threatpost.
“Unfortunately, we can expect to see these infected devices used to increase the
spread of ransomware, which is already out of control.”
Organizations can already get ahead of the threat by focusing on training their
workforces about the dangers of email threats as well as shoring up network
monitoring, since Emotet spreads infections predominantly through phishing
campaigns, Kron said.
“Wise organizations will engage users in security awareness training and
simulated testing campaigns in an effort to help them hone their skills at
spotting and reporting phishing emails,” he said. “In addition, tracking newly
discovered command and control servers, alerting on and blocking traffic to
them, can reduce the risk of infection greatly.”
Want to win back control of the flimsy passwords standing between your network
and the next cyberattack? Join Darren James, head of internal IT at Specops, and
Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during
a free, LIVE Threatpost event, “Password Reset: Claiming Control of Credentials
to Stop Attacks,” on Wed., Nov. 17 at 2 p.m. ET. Sponsored by Specops.
Register NOW for the LIVE event!
Write a comment
Share this article:
* Malware
SUGGESTED ARTICLES
WHAT THE RISE IN CYBER-RECON MEANS FOR YOUR SECURITY STRATEGY
Expect many more zero-day exploits in 2022, and cyberattacks using them being
launched at a significantly higher rate, warns Aamir Lakhani, researcher at
FortiGuard Labs.
December 30, 2021
5 CYBERSECURITY TRENDS TO WATCH IN 2022
Here’s what cybersecurity watchers want infosec pros to know heading into 2022.
December 29, 2021
2021 WANTS ANOTHER CHANCE (A LIGHTER-SIDE YEAR IN REVIEW)
The year wasn’t ALL bad news. These sometimes cringe-worthy/sometimes laughable
cybersecurity and other technology stories offer schadenfreude and WTF
opportunities, and some giggles.
December 28, 2021
DISCUSSION
LEAVE A COMMENT CANCEL REPLY
This site uses Akismet to reduce spam. Learn how your comment data is processed.
INFOSEC INSIDER
* WHAT THE RISE IN CYBER-RECON MEANS FOR YOUR SECURITY STRATEGY
December 30, 2021
* THREAT ADVISORY: E-COMMERCE BOTS USE DOMAIN REGISTRATION SERVICES FOR MASS
ACCOUNT FRAUD
December 29, 2021
* GLOBAL CYBERATTACKS FROM NATION-STATE ACTORS POSING GREATER THREATS
December 27, 2021
* TIME TO DITCH BIG-BROTHER ACCOUNTS FOR NETWORK SCANNING
December 21, 2021
* CONVERGENCE AHOY: GET READY FOR CLOUD-BASED RANSOMWARE
December 17, 2021
Newsletter
SUBSCRIBE TO THREATPOST TODAY
Join thousands of people who receive the latest breaking cybersecurity news
every day.
Subscribe now
Twitter
1.8M+ attacks, against half of all corporate networks, are attempting to exploit
#Log4Shell, including with a new r… https://t.co/dDky1faadm
2 weeks ago
Follow @threatpost
NEXT 00:02 01:24 360p 720p HD 1080p HD Auto (360p) About Connatix V143023 Closed
Captions About Connatix V143023 1/1 Skip Ad Continue watching after the ad Visit
Advertiser website GO TO PAGE
SUBSCRIBE TO OUR NEWSLETTER, THREATPOST TODAY!
Get the latest breaking news delivered daily to your inbox.
Subscribe now
Threatpost
The First Stop For Security News
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
* Copyright © 2022 Threatpost
* Privacy Policy
* Terms and Conditions
* Advertise
*
*
*
*
*
*
*
TOPICS
* Black Hat
* Breaking News
* Cloud Security
* Critical Infrastructure
* Cryptography
* Facebook
* Government
* Hacks
* IoT
* Malware
* Mobile Security
* Podcasts
* Privacy
* RSAC
* Security Analyst Summit
* Videos
* Vulnerabilities
* Web Security
Threatpost
*
*
*
*
*
*
*
TOPICS
* Cloud Security
* Malware
* Vulnerabilities
* Privacy
Show all
* Black Hat
* Critical Infrastructure
* Cryptography
* Facebook
* Featured
* Government
* Hacks
* IoT
* Mobile Security
* Podcasts
* RSAC
* Security Analyst Summit
* Slideshow
* Videos
* Web Security
AUTHORS
* Tara Seals
* Tom Spring
* Lisa Vaas
THREATPOST
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
Search
*
*
*
*
*
*
*
InfoSec Insider
INFOSEC INSIDER POST
Infosec Insider content is written by a trusted community of Threatpost
cybersecurity subject matter experts. Each contribution has a goal of bringing a
unique voice to important cybersecurity topics. Content strives to be of the
highest quality, objective and non-commercial.
Sponsored
SPONSORED CONTENT
Sponsored Content is paid for by an advertiser. Sponsored content is written and
edited by members of our sponsor community. This content creates an opportunity
for a sponsor to provide insight and commentary from their point-of-view
directly to the Threatpost audience. The Threatpost editorial team does not
participate in the writing or editing of Sponsored Content.
We use cookies to make your experience of our websites better. By using and
further navigating this website you accept this. Detailed information about the
use of cookies on this website is available by clicking on more information.
ACCEPT AND CLOSE