The Emotet botnet is back up-and-running following a summer break, with security firms reporting that command-and-control servers have been quietly reactivated.

The botnet fell silent at the beginning of June, although researchers forecast that it wouldn’t stay down for long.

The Emotet botnet arose from the grave yesterday and began serving up new binaries. We noticed that the C2 servers began delivering responses to POST requests around 3PM EST on Aug 21. Stay vigilant and keep an eye out for any updates as we monitor for any changes.

— Cofense Labs (@CofenseL) August 22, 2019

According to specialist security website BleepingComputer, the network was as likely to have been taken down for maintenance as it was to enable its operators to have a long summer holiday in the Crimea. Ransomware and Trojans linked to Emotet don’t target potential victims in the CIS to avoid attracting the interest of Russian law enforcement.

Cofense Labs was the first security firm to notice that the botnet had been reactivated. “The Emotet botnet arose from the grave yesterday and began serving up new binaries.

“We noticed that the C2 servers began delivering responses to POST requests around 3PM EST on Aug 21. Stay vigilant and keep an eye out for any updates as we monitor for any changes,” the company tweeted late on Thursday.

They reuse the old IPs so they need time to:
– Grab old/new bots (it’s Friday it’s not a glorious day for botnets)
– remove ALL the AV bots from today on the panel lol
– Run some tests for bypassing anti spam product
– Prepare the campaign for the next Clients
etc it takes time

— Benkøw moʞuƎq (@benkow_) August 23, 2019

A list of active servers has been published on Github by security firm Black Lotus Labs. The botnet has not been involved in any new campaigns – yet.

Originally supporting a banking Trojan of the same name when it was first started up in 2014, it quickly switched to distributing other forms of malware. It has since been linked with the Trickbot banking Trojan and the Ryuk ransomware.

However, it will be some time before a fresh campaign is launched, with the gang behind Emotet having to grab new bots (compromised PCs and servers), remove anti-virus bots, test their malware against a range of anti-virus and other security solutions, and drum-up new clients.

#Emotet is back online and here is the active C2 list we have validated and are tracking as of now https://t.co/ilqvu1H6gO

— Black Lotus Labs (@BlackLotusLabs) August 22, 2019

Earlier this year when it was still active, Recorded Future claimed that Latin America was the epicentre of Emotet Trojan activity.

Back in 2017, following another short break, Emotet returned with what was described as a polymorphic Trojan, capable of evading detection by anti-virus software.