reports that threat actors have been delivering an Emotet loader through the TrickBot
malware as part of "Operation Reacharound," following the disruption of Emotet by law enforcement authorities earlier this year, according to researchers from Cryptolaemus, GData and Advanced Intel.
Emotet has not been observed to conduct spamming activity likely because the botnet's infrastructure is being reconstructed from scratch, said Cryptolaemus researcher Joseph Roosen.
Cryptolaemus also discovered changes to the new Emotet loader, compared with older variants. "So far we can definitely confirm that the command buffer has changed. There's now 7 commands instead of 3-4. Seems to be various execution options for downloaded binaries (since it's not just DLLs)," said researchers.
Meanwhile, the reemergence of Emotet may prompt increased ransomware infections, warned Advanced Intel's Vitali Kremez.
"It is an early sign of the possible impending Emotet malware activity fueling major ransomware operations globally given the shortage of the commodity loader ecosystem. It also tells us that the Emotet takedown did not prevent the adversaries from obtaining the malware builder and setting up the backend system bringing it back to life," Kremez said.