Emotet botnet grows slowly but has already infected over 130,000 machines

The Emotet botnet, which resumed activity at the end of 2021, is growing and still continues to develop slowly. So far, it has infected more than 130,000 devices in 179 countries, according to researchers.

Let me remind you that in January last year, Europol, the FBI and law enforcement agencies in many countries of the world, including Canada, the Netherlands, France, Germany, Lithuania, the UK and Ukraine, conducted a large-scale coordinated operation to eliminate Emotet. Preparation for this operation lasted two years. Then law enforcement officers managed to seize control over the botnet infrastructure, disrupting its operation. As a result, criminals lost the ability to use hacked machines, and the malware stopped spreading to new targets.

However, at the end of 2021, ten months after this operation, the researchers again discovered malware activity. It turned out that another well-known botnet, TrickBot, helped Emotet operators get back on their feet by installing Emotet malware on systems already infected by TrickBot itself. It soon became apparent that the hack group Conti was behind Emotet’s comeback.

Analysts from Black Lotus Lab decided to take a closer look at the new round of Emotet development. As you can see in the chart below, the botnet started to slowly recreate itself in November last year, and since January 2022 has grown much faster thanks to phishing campaigns.

Emotet botnet grows

This Emotet distribution campaign also possesses some new features, such as a new elliptic curve cryptography scheme that replaces RSA encryption. Also in the new version, the process list module is deployed only after establishing a connection with the control server. In addition, the authors of the malware have added to their product more opportunities for collecting information and better profiling the system.

Emotet botnet grows

Emotet botnet grows

Black Lotus reports that there are currently around 200 unique management servers supporting the Emotet resurgence, and the number is steadily growing. The average time of activity of one server is 29 days.

As with previous campaigns, most of Emotet’s infrastructure is located in the US and Germany, followed by France, Brazil, Thailand, Singapore, Indonesia, Canada, the UK and India.

Emotet botnet grows

User Review
1 (1 vote)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button