The insidious Emotet botnet, which staged a return in November 2021 after a 10-month-long hiatus, is once again exhibiting signs of steady growth, amassing a swarm of over 100,000 infected hosts for perpetrating its malicious activities.
“While Emotet has not yet attained the same scale it once had, the botnet is showing a strong resurgence with a total of approximately 130,000 unique bots spread across 179 countries since November 2021,” researchers from Lumen’s Black Lotus Labs said in a report.
Emotet, prior to its takedown in late January 2021 as part of a coordinated law enforcement operation dubbed “Ladybird,” had infected no fewer than 1.6 million devices globally, acting as a conduit for cybercriminals to install other types of malware, such as banking trojans or ransomware, onto compromised systems.
Emotet’s resurrection is said to have been orchestrated by the Conti gang itself in an attempt to shift tactics in response to increased law enforcement scrutiny into the TrickBot’s malware distribution activities.
Black Lotus Labs noted that the “Aggregation of bots really didn’t begin in earnest until January ,” adding the new variants of Emotet have swapped the RSA encryption scheme in favor of elliptic curve cryptography to encrypt network traffic.
What’s more, Emotet’s botnet infrastructure is said to encompass nearly 200 command-and-control servers, with most of the domains located in the U.S., Germany, France, Brazil, Thailand, Singapore, Indonesia, Canada, the U.K., and India.