This is our 3rd anniversary of Cryptolaemus1. Thanks for all the follows and sharing of intel these past 3 years! To celebrate, Ivan has released a new version of Emotet because he feels left out and wants to be part of the party. More details coming soon. As always watch URLHaus
We have been following this situation since the module first showed up on Monday at 0745UTC on E4. As of today at 1330UTC, the module is now being deployed to bots on the E5 botnet as well. This looks to be a new development for Emotet and maybe soon a reawakening. Stay tuned.
Today is the day the
#Emotet
version left on computers worldwide will uninstall itself. Thus ends the period to have IR find the Emotet dlls left over from old infections before the takedown. We are watching for Ivan's next moves with the rest of his buddies in RU. Keep fighting!
Bye-bye botnets👋 Huge global operation brings down the world's most dangerous malware.
Investigators have taken control of the Emotet botnet, the most resilient malware in the wild.
Get the full story:
Hello Ivan, is that you? *sounds of vodka bottles falling over* - We have reason to believe that
#Emotet
is coming back for distribution (SPAM) in short order. E4/E5 woke up yesterday. Now is the time to prepare and be vigilant as Ivan may have new lures/tricks/methods to share.
🚨
#Emotet
Update🚨 - Looks like Ivan laid an egg for easter and has been busy. As of about 14:00UTC today 2022/04/18 - Emotet on Epoch 4 has switched over to using 64-bit loaders and stealer modules. Previously everything was 32-bit except for occasional loader shenanigans. 1/x
BREAKING:
#Emotet
malspam links can since yesterday link to an Universal App installer hosted on
@azure
imposing as an Adobe Update that drops E4 payload. This is the same initial attack vector as
#BazarLoader
used a few weeks ago, even using the same
@SectigoHQ
cert.
#Emotet
Update -
@spamhaus
/
@nazywam
Alerted us to a run of malspam coming form Emotet in the last 15-30 minutes. This is correct and we have confirmed this to be from the E2 botnet. Spam modules are being deployed and there is at least a test run being done currently. More Soon.
- Great Article on the Guardians from Japan which we always thought of as our partners in the fight against Emotet/Ivan in Japan! :) Very happy to see them honored this way and sorry to anyone we did not mention in our tweet there. Stronger Together!💪
#Emotet
Update: Looks like we are seeing signs of a protocol change for C2 that matches what we saw last night for the new possible E4 loader. It may not be an E4 but more likely a loader/C2 revision that is inbound. Right now only E2 is exhibiting this behavior.
@hatching_io
@CapeSandbox
I also just released a vaccine for
#Emotet
. A protection and detection tool to avoid get infected by Emotet payload. The code and the binaries are in my repository.
#malware
#Emotet
Update - Looks like Ivan has changed things again and
@Max_Mal_
caught them. Now the LNKs are calling Powershell.exe directly in the normal location for a typical Windows install under system32. No more appended VBS appended to the end of the file. 1/x