Emotet is back and installing TrickBot trojan, researcher warns

The latest Emotet spam campaign is targeting people in the UK and the US

After months of inactivity, the Emotet malware has sprung back to life and has started installing the TrickBot Trojan on infected Windows computers.

That's according to Binary Defense researcher James Quinn, who said on Monday that he has seen Emotet once again.

https://twitter.com/luc4m/status/1285309589752356864?ref\\_src=twsrc%5Etfw

Last week, researchers at security firm Proofpoint had confirmed that the Emotet botnet had returned, with a fresh spam campaign targeting people in the UK and USA. The researchers had detected nearly 30,000 spam emails associated with the Emotet botnet.

Researchers at other cyber security firms, including Cryptolaemus, Microsoft, Malwarebytes and Spamhaus, also confirmed Emotet's comeback.

Emotet's spam messages usually masquerade as invoices, payment reports, job opportunities and other information significant for the recipient. Once a user opens the malicious document, the Emotet trojan downloads onto the system.

"Emotet is a highly effective malware that is capable of downloading and installing a range of additional malware that often steal information, send malicious email, and spread across networks using infected devices to launch future attacks," said Sherrod DeGrippo, Proofpoint's senior director of threat research.

"Its infrastructure is test- and metric-driven and is built to scale depending on what's working."

TrickBot is an advanced strain of malware that commonly targets enterprise networks, and downloads its multiple modules to perform various malicious activities on the infected system.

In many cases, Emotet also downloads the TrickBot trojan, which is designed to steal sensitive documents, login credentials and more from the infected system.

TrickBot's operators sometimes also collaborate with the Ryuk ransomware actors to encrypt the entire network, in case the network is thought to be of high value.

Due to its close links with ransomware groups, some countries - such as the Netherlands and Germany - treat Emotet with the same level of urgency as a ransomware attack. Organisations in which an Emotet-infected host is found are asked to isolate the infected system to prevent the malware from infecting the entire network.

In January, security researchers said that they had uncovered a new Emotet campaign that used a spam email template to demand $50 from potential targets.

The phishing emails sent by Emotet operators falsely told recipients that their machines had been hacked and asked them to open an attached document if they wanted to rescue their data.

In April, researchers at cyber security firm MalwareTech said that threat actors behind Emotet botnet had completely redesigned their malware and some of its modules to equip it with enhanced anti-malware evasion capabilities.