Emotet-TrickBot malware duo is back infecting Windows machines

After awakening last week and starting to send spam worldwide, Emotet is now once again installing the TrickBot trojan on infected Windows computers.

On July 17th, 2020, after over five months of inactivity, the Emotet Trojan woke up and started massive spam campaigns pretending to be payment reports, invoices, shipping information, and employment opportunities.

These spam emails contain malicious documents that will install the Emotet trojan on the recipient's computer when opened and macros enabled.

Historically, once a user became infected with Emotet, the trojan would eventually download and install the TrickBot trojan on the infected computer.

It wasn't until today, though, that Binary Defense researcher James Quinn told BleepingComputer that he began to see Emotet once again installing the TrickBot trojan.

TrickBot and why it is so dangerous

TrickBot is an advanced malware that infects Windows machines and is commonly seen targeting enterprise networks.

What makes TrickBot so dangerous is that it will download modules that perform various malicious activities on an infected computer.

This activity includes:

• Attempting to spread laterally through a network
• Steal Active Directory Services databases
• Harvest login credentials and cookies from browsers
• Steal OpenSSH keys
• Steals RDP, VNC, and Putty credentials
• Steals banking credentials

Even worse, though, once TrickBot has finished harvesting anything of value from a compromised network, it will open up a reverse shell to the Ryuk and Conti Ransomware actors.

This reverse shell will allow the ransomware operators to access the network, steal unencrypted files, and then deploy their ransomware to encrypt all of the network's machines.

Network and security administrators need to be sure users on their network are educated adequately on Emotet spam campaigns and not open any suspicious documents.

Furthermore, if a computer becomes compromised by Emotet, likely, they are also compromised by TrickBot.

A full investigation should be launched, which includes assessing whether the infections have spread to other computers on the network.