The notorious Emotet botnet comebacks with the help of TrickBot malware

Emotet is a very mature botnet. The danger of this botnet is that the groups behind it often sell infected devices to other hackers.

For example, hackers buy infected devices to install ransomware, some use phishing to steal corporate information, and some are used to launch cyber attacks.

Europol calls the Emotet botnet the most dangerous malware in the world, and its main infrastructure has been destroyed by a joint law enforcement operation at the beginning of the year.

But 10 months after disappearing, Emotet is now making a comeback with the help of TrickBot malware, and researchers are currently paying close attention to the development of Emotet.

In a joint law enforcement operation at the beginning of the year, Europol successfully destroyed the main infrastructure of the botnet, including the main command server, which was all taken offline.

In April, under the efforts of law enforcement agencies, devices infected by Emotet sent control commands to automatically uninstall malware to achieve the effect of eradicating the roots.

Now some researchers have discovered that Emotet seems to have joined forces with TrickBot, and TrickBot is helping Emotet re-infect devices through its malware.

TrickBot is also notorious malware. Researchers discovered that TrickBot is distributing a new version of Emotet, and the new variant uses dll files for infection.

The first deployment that can be detected is November 14. It is currently impossible to determine how many devices were infected, but researchers are closely monitoring the development of the Emotet variant.

Emotet botnet is more like a distribution portal for other malicious software. Emotet forms a huge botnet by controlling a large number of infected devices, and then these devices will be sold to other hackers for targeted use.

Usually, after being infected by Emotet, various malicious software will come, including but not limited to ransomware, so the harm to enterprises is still very high.

Previously, the ransomware used this botnet to infect a large number of companies for ransomware, and TrickBot, QakBot, and Ryuk were also distributed through Emotet.

Enterprise IT administrators can access this list to block Emotet-related instance IPs. Blocking related domain names and IP addresses will help improve corporate network security.

Via: thehackernews