Commentary On The Return Of Emotet

Business Data Breach

ISBuzz Staff | »


AT&T Alien Labs™ researchers discover new malware “targeting millions of routers and IoT devices with more than 30 exploits.” The malware, dubbed BotenaGo, contains 30+ exploits designed to infect millions of routers and IOT devices. BotenaGo was written in Golang (aka Go), an open-source language designed by Google in 2007. As of publication, BotenaGo currently has low antivirus (AV) detection rate with only 6/62 known AVs seen in VirusTotal flagging the malware as malicious.

Targeted devices include a wide variety of routers, modems, and NAS devices from multiple vender lines, including: DrayTek, D-Link, NetGear, GPON, Linksys,  XiongMai, Comtrend, Guangzhou, TOTOLINK, Tenda, ZyXEL (NAS) abd ZTE.

Saryu Nayyar

| November 17, 2021

Saryu Nayyar, CEO, Gurucul

It seems to be hard to tell your malware without a scorecard these days. Systems infected with Trickbot are incorporating a loader for the Emotet malware on infected devices. Emotet delivers both spam and other malware on those devices.

Emotet is one of the most popular forms of malware in the past, and clearly still has some staying power. While it is readily identifiable, the combination of Trickbot with Emotet is a combination that still has the ability to infect systems that aren’t well protected. Enterprises have to continue to be on the alert for malware that is delivered by known bad actors in order to combat its effects.


| November 17, 2021

Jen Ellis, Vice President of Community and Public Affairs, Vice President of Community and Public Affairs

It’s not particularly surprising to see Emotet reappear as efforts to take down attacker groups, platforms, fora, or tools are always going to be something of a game of Whac-a-mole – you take one down and another appears, or in this case, the first one reappears. That doesn’t mean it isn’t worth doing though. Law enforcement and security researchers understand this won’t irradicate cybercrime, but it does make business more expensive and difficult for attackers, which in turn makes this kind of occupation slightly less appealing. Any way we can increase the friction and cost for the attackers is a good thing. Not having the Emotest platform has obviously been disruptive enough for the attackers to decide to invest time and effort into rebuilding it. I call that a win for defenders in an ongoing conflict where too often the odds are stacked against them.

From the information available, it seems that even though they are still in the early stages of rebuilding their network, Emotet is already sending out spam. This seems to indicate that we can expect to see Emotet’s controllers resuming operations very much as they did before the takedown in January. Since then though, we have seen law enforcement and the private sector work more closely together on other unified actions to deter and disrupt attacker groups. They will be watching this development closely and I suspect they will already be considering potential actions to stop Emotet returning to the supremacy it once enjoyed.

In the meantime, it’s business as usual for security professionals. The name Emotet may strike fear in their hearts, but the reality is they are under attack every day and all the same measures needed to defend against those attacks are the same for Emotet. Timely patching, effective identity and access management strategies, network segmentation, regular offline backups, email filtering, and user awareness are all core components of a defense-in-depth and business resilience strategy.


| November 17, 2021

Felipe Duarte, Security Researcher, Appgate

This new Emotet malware reveals that its botnet is being rebuilt from scratch, using TrickBot’s existing infrastructure. Compared with its previous variants, it now contains 3 or 4 more commands that correspond to execution options for downloaded binaries.

It’s not clear if this new version is developed by the same threat actors as before, or if it’s the work of another gang with access to the source code. Takedowns like these against Emotet, TrickBot, and Ransomware operations are effective, but it’s very hard to arrest or retire all the involved members. Their remaining threat actors usually rebrand themselves and/or re-use their infrastructures and malware source codes to continue to pursue their objectives. Also, the malware binaries and source codes are still in the wild, so it’s very common for other cybercrime groups to compile their own version adapted to their purposes.

As with any botnet, it can spread very fast in generic e-mail or phishing campaigns, but to infect as many targets as the original Emotet is very hard, so even if the same threat actors are behind it, it’s going to take time for them to get near the number of targets they had before. Besides, Emotet is a known threat, and most of its techniques and capabilities are already studied. Maintaining a botnet is easier than expanding it, as security solutions evolve and get better at detecting the infections.

IT managers and cybersecurity teams need to manage this new Emotet version as any other malware threat, deploying reasonable security measures and training employees against social engineering attacks like e-mails and phishing.

It’s important to notice that those new capabilities show the actors are focusing on executing other malware along with Emotet. Botnets like Trickbot are often used to spread and move laterally into a network, and even deploy Ransomware.

Adopting a ZeroTrust model is important for any organization that wants to be protected against Emotet or any other botnet/ransomware threat. By assuming all connections can be compromised and segmenting your network, you can limit the affected systems and the threat actions to a single perimeter and increase the chance of detecting malicious behaviors inside your network


| November 17, 2021

Callum Roxan, Head of Threat Intelligence, F-Secure

Emotet’s re-emergence is a notable event due to the prevalence of this malware family historically. There are indications that Emotet was initially being deployed by TrickBot and has since started sending out phishing emails as well. The emails seem to contain malicious Word, Excel and Zip files that deploy Emotet on the victim host.

The questions IT teams need to be asking have not changed, but the level of risk due to the frequency of threats may see an uptick as this malware family builds up its operations once again. We live in a world where the threat will remain ever present, this event does not change that, but it does highlight the need for continued vigilance and investment in building resilience to cyber threats for all organizations.


| November 17, 2021

Garret F. Grajek, CEO, YouAttest

Device attacks are the most common way into an enterprise. By compromising an end user’s device, mobile or desktop, it provides a means for the hackers to inject payloads that can continue the cyber key chain. From there the hackers can enumerate the environment, escalate their privileges and conduct lateral movement across the enterprise in their effort the find and exploit valuable enterprise resources.

To combat these efforts – enterprises must, of course, deploy all latest patches on these systems exposed to the attackers. But given the quantify of zero-day attacks, enterprises must assume the attackers will pass the exterior and begin their attacks past the “front gates”. This is where zero trust comes in. Enterprises must ensure that each node of the enterprise is evaluating the identity and trust of the requesting resource. Identities must be evaluated for privilege and changes in privileges to ensure security of the enterprise.



| November 17, 2021

Doug Britton, CEO, Haystack Solutions

Emotet is a pervasive piece of malware and indicative of the recycling and evolution in malware delivery techniques. It is very interesting to see this in an early inning in the restructuring and rebuilding of Emotet and its bot-spamming infrastructure. This is promising to hear that researchers have proactively identified this. Cyber professionals are critical in the fight against the persistent threat of evolving malware. As we can see, bad actors are developing the pipes to deliver malware on a massive scale.

Investing in a cyber team is critical to building defenses that are nimble and agile enough to go off-script when hackers change tack. We have the tools and technology to find this talent regardless of background or experience. We need to continue to invest in the next generation of cyber professionals to ensure we remain in front of threats like Emotet.


Emotet malware

Emotet malware
External Link: Commentary On The Return Of Emotet

Share this page:

Related Posts