The Emotet malware was considered the most widely spread malware in the past, using spam campaigns and malicious attachments to distribute the malware. Emotet would then use infected devices to perform other spam campaigns and install other payloads, such as the QakBot (Qbot) and Trickbot malware. These payloads would then be used to provide initial access to threat actors to deploy ransomware, including Ryuk, Conti, ProLock, Egregor, and many others. At the beginning of the year, an international law enforcement action coordinated by Europol and Eurojust took over the Emotet infrastructure and arrested two individuals. German law enforcement used the infrastructure to deliver an Emotet module that uninstalled the malware from infected devices on April 25th, 2021.
This week, researchers from Cryptolaemus, GData, and Advanced Intel have begun to see the TrickBot malware dropping a loader for Emotet on infected devices. Threat actors are using a method dubbed “Operation Reacharound” to rebuild the Emotet botnet using TrickBot’s existing infrastructure. Emotet expert and Cryptolaemus researcher Joseph Roosen told reporters that they had not seen any signs of the Emotet botnet performing spamming activity or found any malicious documents dropping the malware. This lack of spamming activity is likely due to the rebuilding of the Emotet infrastructure from scratch.