One of the most active botnets of 2019, Emotet, did not show almost any "signs…
Members of the group of independent researchers Cryptolaemus, who for several years closely monitored the activity of the botnet and tried to counter it, discovered the first changes.
“It is not yet clear what exactly QakBot is delivering to infected systems, but it is already known that this may lead to the fact that some users will become victims of ransomware, in particular, ProLock ransomware”, — write Cryptolemus researchers.
Experts write that TrickBot has completely disappeared, and the payload has been replaced by QakBot in all “epochs” of malware: Epoch 1, Epoch 2 and Epoch 3.
Let me remind you that this term is used by researchers to refer to individual clusters of botnet infrastructure, each of which has its own management servers, uses its own distribution methods and payloads.
BleepingComputer reporters write that security experts have already studied the new payload using Any.Run. Results of the analysis are available here, and the addresses of the command and control servers can be found here.
Additional analysis by Intel 471 experts showed that QBot uses the string “partner01” to identify this campaign.
According to experts, this indicates a close relationship between Emotet and the developers of this malware.
“Emotet Update – We are detecting QBot being dropped by Emotet infections on all epochs instead of Trickbot gtag Mor today. @Intel471Inc identified the campaign_id on this QBot as “partner01” which is interesting because in the past we have seen the hhh series”, — write Cryptolaemus representatives in Twitter.
However, Cryptolaemus analysts note that Emotet payloads have changed before, and most likely, the original Emotet-TrickBot tandem will also return to service soon. Researchers call TrickBot and QakBot the preferred partners for Emotet, since all three groups are part of the same Russian-speaking community and have long history of cooperation with each other.
Let me remind you that Check Point researchers noted that Emotet was the most active organization in 2019.
News-bpudepi.today is a domain that tries to trick you into subscribing to its browser notifications…
Doguhtam.xyz is a site that tries to trick you into subscribing to its browser notifications…
News-xlixoti.com is a site that tries to force you into subscribing to its browser notifications…
Ducesousightion.com is a domain that tries to trick you into clik to its browser notifications…
News-xlabica.live is a domain that tries to trick you into clik to its browser notifications…
Mergechain.co.in is a site that tries to trick you into subscribing to its browser notifications…