- Home >
- Services >
- Access to Knowledge >
- Trend Monitor >
- Type of Threat or Opportunity >
- Trend snippet: The return of Emotet malware in 2021
Trends in Security Information
The HSD Trendmonitor is designed to provide access to relevant content on various subjects in the safety and security domain, to identify relevant developments and to connect knowledge and organisations. The safety and security domain encompasses a vast number of subjects. Four relevant taxonomies (type of threat or opportunity, victim, source of threat and domain of application) have been constructed in order to visualize all of these subjects. The taxonomies and related category descriptions have been carefully composed according to other taxonomies, European and international standards and our own expertise.
In order to identify safety and security related trends, relevant reports and HSD news articles are continuously scanned, analysed and classified by hand according to the four taxonomies. This results in a wide array of observations, which we call ‘Trend Snippets’. Multiple Trend Snippets combined can provide insights into safety and security trends. The size of the circles shows the relative weight of the topic, the filters can be used to further select the most relevant content for you. If you have an addition, question or remark, drop us a line at info@securitydelta.nl.
visible on larger screens only
Please expand your browser window.
Or enjoy this interactive application on your desktop or laptop.
The return of Emotet malware in 2021
On November 14th, Emotet officially rose from the dead, as live samples were observed for the first time since its takedown. Emotet’s resurrection came from a surprising source: TrickBot’s botnet was used to drop Emotet’s samples on machines infected with the TrickBot malware. The very next day, Emotet returned to its signature method of distribution, with massive spam campaigns delivering the Trojan via malicious document attachments. To rebuild their network, Emotet operators chose to drop their spam bot on successfully infected machines, a method that enabled them to distribute the malware to even more potential targets.
TrickBot’s service as a dropper was a natural choice for Emotet’s revival, thanks to their rich history of collaboration. In fact, this might suggest that at least some of its old malware partners are also involved in its resurrection. TrickBot itself was briefly taken down in 2020, and yet it persisted and was featured in the Top Malware families rankings of May, June and September 2021. During the last year, Check Point Research spotted over 140,000 TrickBot victims worldwide, involving over 200 campaigns and thousands of compromised networks. This huge installation base makes TrickBot the perfect platform to re-launch Emotet’s new botnet.
Emotet itself came back even stronger with some new additions to its toolbox. The upgraded variant uses Elliptic curve cryptography as opposed to RSA cryptography, improved its control-flow flattening techniques, and added to its initial delivery methods the use of malicious Windows App installer packages that impersonate legitimate software. In addition, researchers found that Emotet is now dropping Cobalt Strike beacons directly for the first time, instead of intermediate malware families which in turn would drop Cobalt Strike beacons after some time. Cobalt Strike has been the cornerstone of targeted ransomware attacks in previous years, and this unfortunate development means that the duration from initial Emotet infection to a full blown ransomware attack just got even shorter, leaving the defenders with far less time to respond to an ongoing attack.
Since its return, Check Point Research observed that the volume of Emotet’s activity was at least 50% of the level we saw in January 2021, right before the takedown. This rising trend continued throughout December with several end-of-the-year campaigns, and is expected to continue well into 2022, at least until the next takedown attempt.