Announcement of 17. November 2021

Emotet is back

Following a coordinated takedown by law enforcement agencies in January 2021, new variants of the Emotet malware have now been spotted again for the first time - as a recent analysis by G DATA shows. Emotet has been an all-purpose cybercrime weapon for years.

Emotet is considered one of the most dangerous malware families because it is used as a bridgehead for cyberattacks on companies of all sizes. In the past, the initial infection with the malware was often followed by an extortion attempt against the affected company using an encryption Trojan. 

 

Dr. Tilman Frosch

The internationally coordinated takedown of Emotet has been effective for many months and has saved many victims from harm. We congratulate all the authorities involved for this. Nevertheless, our current analyses show that Emotet has now returned - as shown by manual analysis of current malware samples.

Dr. Tilman Frosch

Managing Director of G DATA Advanced Analytics

The new Emotet sample stands out due to several technical similarities to the original malware. A comparison of the source code shows similar structures. However, there are also differences: Unlike the previously known Emotet variants, network traffic is still encrypted, but the new variant uses HTTPS with a self-signed certificate. 

So far, no significant spam activities have been noticed in connection with Emotet. According to current findings, Emotet uses the infrastructure of the Trickbot malware, and its own botnet was apparently permanently destroyed during the takedown. G DATA customers are protected against the new Emotet variants. 

UPDATE: The first spam activities have started - currently Emotet is distributed in *.docm and *.xlsm as well as password-protected ZIP attachments.  

A detailed blog post with technical details as well as Indicators of Compromise can be found on the blog of our subsidiary G DATA Advanced Analytics: Guess who’s back – cyber.wtf

Media:

Files:

Announcement of 17. November 2021

G DATA CyberDefense AG
G DATA Campus
Königsallee 178
D-44799 Bochum

Phone: +49 234 9762-239
E-Mail: presse@remove-this.gdata.de

Kathrin Beckert-Plewka
Public Relations Manager

Contact

Kathrin Beckert-Plewka

Phone: +49 234 9762-507
kathrin.beckert@remove-this.gdata.de

Hauke Gierow
Press spokesperson

Contact

Hauke Gierow

Phone: +49 234 9762-665
hauke.gierow@remove-this.gdata.de

Vera Haake
Spokesperson for event & location communication

Contact

Vera Haake

Phone: +49 234 9762-376
vera.haake@remove-this.gdata.de

Stefan Karpenstein
Public Relations Manager

Contact

Stefan Karpenstein

Phone: +49 234 9762-517
stefan.karpenstein@remove-this.gdata.de