Trickbot-Infected Machines Drop Emotet Samples

The Trickbot botnet has been observed spreading samples of Emotet, which researchers say is the first time Emotet has been spotted since its takedown earlier this year.

These findings come from Check Point Research, which has spotted more than 140,000 victims affected by Trickbot worldwide since global efforts aimed to take down the botnet in October 2020. Emotet, another prolific threat, was taken down in January 2021 due to a join operation of law enforcement agencies around the world.

On Nov. 15, 10 months after Emotet's takedown, Trickbot-infected machines began to drop Emotet samples. These newly Emotet-infected devices began to spread again through a malspam campaign instructing victims to download password-protected zip files containing malicious documents. Once they are run and macros are enabled, the computer is infected with Emotet, causing the infection cycle to continue and helping Emotet rebuild its botnet network.

"Emotet could not choose a better platform than Trickbot as a delivery service when it came to Emotet’s rebirth question," researchers wrote in a blog post on their findings.

Since they first detected the Emotet samples, Check Point researchers have observed a volume of the botnet's activity that is at least 50% of the level they saw in January 2021, before Emotet was taken down. The upward trend has continued throughout December as well, they noted.

Read Check Point's full writeup for more details.