My account

Emotet Botnet Comes Back From Summer Vacation

Delaware, USA – August 27, 2019 – Emotet botnet like a relic monster of cyberspace has woken up and is preparing to strike a new blow. Earlier this year, the known command-and-control infrastructure of the botnet disappeared from researchers’ radars, presumably for maintenance and modification. As expected, this did not last too long, and on August 21, Cofence Labs uncovered that attackers’ servers are alive and respond to POST requests. Discovered servers are located around the world, including the United States, European countries, and Australia. The list of existing servers is tracked by BlackLotus Labs, you can find it on GitHub: https://github.com/blacklotuslabs/Research/blob/master/Emotet_Active_C2_08_22_19.txt#L7

Security researchers note that Emotet botnet does not yet distribute malware, and its creators need to conduct a series of tests and preparations to spam campaigns, as well as remove bots of security firms from the infrastructure. This will not take much time, and new attacks may occur in the coming days. This year, Emotet botnet has been used repeatedly in massive ransomware attacks on organizations and government agencies. Botnet operators install TrickBot trojan on previously infected systems, and then ransomware gang determines high-value targets and pushes Ryuk ransomware. Emotet’s services are also used by MegaCortex ransomware operators, who have done a serious job over the summer, preparing for major attacks.

Content available on Threat Detection Marketplace to detect the malware:

Emotet Trojan detector (Sysmon) – https://tdm.socprime.com/tdm/info/1279/
TrickBot Malware Detector (Sysmon Behavior) (July 2019) – https://tdm.socprime.com/tdm/info/2335/
Trickbot Execution – https://tdm.socprime.com/tdm/info/2207/
Ryuk Ransomware (Sysmon) – https://tdm.socprime.com/tdm/info/1379/
Ryuk Ransomware – https://tdm.socprime.com/tdm/info/2355/
Ryuk Ransomware Detector (Sysmon Behavior) – https://tdm.socprime.com/tdm/info/2298/
megacortex malware detector (sysmon behavior) – https://tdm.socprime.com/tdm/info/2266/

Related Posts