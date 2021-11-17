Emotet used spam campaigns and malicious attachments to distribute the malware.

The Emotet malware, which was taken down by a major international police operation earlier this year, is back.

(Sign up to our Technology newsletter, Today's Cache, for insights on emerging themes at the intersection of technology, business and policy. Click here to subscribe for free.)

Emotet used spam campaigns and malicious attachments to distribute the malware. Once a device was compromised, it would install payloads which would then be leased out to threat actors to deploy ransomware.

Researchers from Cryptolaemus, G Data and AdvIntel have observed that malware botnet, Trickbot, is being used to install Emotet on infected Windows systems.

“On Sunday, November 14, at around 9:26 pm UTC we observed on several of our Trickbot trackers that the bot tried to download a DLL to the system. According to internal processing, these DLLs have been identified as Emotet,” G Data said in a blog post.

After initial analysis, G Data concluded that the sample closely resembles the previous activity of Emotet -- the URL contains a resource path, and the bot transfers the request payload in the cookie.

However, Emotet is using a different encryption technique from the past. Besides, it uses HTTPS with a self-signed server certificate, a certificate signed by own private key, to secure the network traffic.

“As per the famous duck-typing, we conclude so far: smells like Emotet, looks like Emotet, behaves like Emotet-seems to be Emotet,” G Data said.

Cryptolaemus, InQuest and AdvIntel also confirmed that Emotet is back. Cryptolaemus on its Twitter account said that Emotet is using URL based lures for document downloads.

Do not click on any malicious link and update your systems with security patches when released to protect your devices from falling prey to malware.