Emotet Growing Slowly But Steadily since November Resurgence
The notorious Emotet botnet is still being distributed steadily in the wild, having now infected 130,000 systems in 179 countries.
While this may be a far cry from the once global dominance of having 1.6 million devices under its control, it shows that the malware is still undergoing a resurgence, and it’s getting stronger every day.
Emotet activity stopped in 2019 while its second major version was in circulation, and the malware returned only in November 2021, with the help of Trickbot.
A few days later, it became evident that the revival was orchestrated by the Conti ransomware gang, who use it to gain initial access to corporate networks.
Apart from the initial infection, Emotet continued to skip dropping TrickBot as a payload and went straight to dropping the Cobalt Strike pentesting tool for quick remote access to networks.
Tracking the Emotet botnet
Threat analysts at Black Lotus labs have decided to take a deeper dive into Emotet’s “Epoch 3” to identify new features and map its current distribution patterns.
As you can see below, the Emotet botnet started to slowly recreate itself in November, seeing far greater distribution via phishing campaigns beginning in January 2022.
The new Emotet campaign also includes features like a new elliptic curve cryptography (ECC) scheme that replaces the RSA encryption used for network traffic protection and validation.
Moreover, the new version deploys a process list module only after the connection with the C2 has been established.
Additionally, the malware authors have now added more info-gathering capabilities for better system profiling, whereas previously, Emotet would only send back a list of running processes.
Slow and steady restructuring
Black Lotus reports that there are currently 200 unique C2s supporting Emotet’s resurgence, with the number growing slowly but steadily. The average number of days of activity for C2s is presently 29.
Like in previous epochs, most of Emotet’s C2 infrastructure is located in the United States and Germany, followed by France, Brazil, Thailand, Singapore, Indonesia, Canada, the UK, and India.
In terms of bot distribution, the focus is Japan, India, Indonesia, Thailand, South Africa, Mexico, United States, China, Brazil, and Italy.
The threat analysts believe that the reason for the first three countries topping this list is the number of outdated and thus vulnerable Windows machines in the region.
As Bleeping Computer reported in December, Emotet exploited a Windows AppX Installer spoofing vulnerability to install apps on the host directly from a remote source.
Microsoft addressed the problem, tracked as CVE-2021-43890, with December 2021 Path Tuesday, but due to slow upgrade uptick vs. the projected benefits of keeping the abused MSIX handler, the software giant decided to simply disable it.
Still, pirated Windows copies that have purposefully severed their connectivity to Microsoft update servers remain vulnerable to malware attacks like Emotet’s.