# Emotet-TrickBot malware duo is back infecting Windows machines **[bleepingcomputer.com/news/security/emotet-trickbot-malware-duo-is-back-infecting-windows-machines/](https://www.bleepingcomputer.com/news/security/emotet-trickbot-malware-duo-is-back-infecting-windows-machines/)** Lawrence Abrams By [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) July 20, 2020 03:52 PM 1 After awakening last week and starting to send spam worldwide, Emotet is now once again installing the TrickBot trojan on infected Windows computers. On July 17th, 2020, after over five months of inactivity, [the Emotet Trojan woke up and](https://www.bleepingcomputer.com/news/security/emotet-spam-trojan-surges-back-to-life-after-5-months-of-silence/) started massive spam campaigns pretending to be payment reports, invoices, shipping information, and employment opportunities. ----- **Current Emotet campaign** These spam emails contain malicious documents that will install the Emotet trojan on the recipient's computer when opened and macros enabled. Historically, once a user became infected with Emotet, the trojan would eventually download and install the TrickBot trojan on the infected computer. [It wasn't until today, though, that Binary Defense researcher James Quinn told](https://twitter.com/lazyactivist192) BleepingComputer that he began to see Emotet once again installing the TrickBot trojan. ## TrickBot and why it is so dangerous TrickBot is an advanced malware that infects Windows machines and is commonly seen targeting enterprise networks. What makes TrickBot so dangerous is that it will download modules that perform various malicious activities on an infected computer. This activity includes: ----- Attempting to [spread laterally through a network](https://www.bleepingcomputer.com/news/security/nworm-trickbot-gang-s-new-stealthy-malware-spreading-module/) [Steal Active Directory Services databases](https://www.bleepingcomputer.com/news/security/trickbot-now-steals-windows-active-directory-credentials/) Harvest [login credentials and cookies from browsers](https://www.bleepingcomputer.com/news/security/trickbot-trojan-now-has-a-separate-cookie-stealing-module/) Steal [OpenSSH keys](https://www.bleepingcomputer.com/news/security/trickbot-trojan-getting-ready-to-steal-openssh-and-openvpn-keys/) [Steals RDP, VNC, and Putty credentials](https://www.bleepingcomputer.com/news/security/trickbot-banking-trojan-now-steals-rdp-vnc-and-putty-credentials/) [Steals banking credentials](https://www.bleepingcomputer.com/news/security/trickbot-trojan-gets-icedid-proxy-module-to-steal-banking-info/) Even worse, though, once TrickBot has finished harvesting anything of value from a [compromised network, it will open up a reverse shell to the Ryuk and](https://www.bleepingcomputer.com/news/security/ryuk-ransomware-partners-with-trickbot-to-gain-access-to-infected-networks/) [Conti Ransomware](https://www.bleepingcomputer.com/news/security/conti-ransomware-shows-signs-of-being-ryuks-successor/) actors. This reverse shell will allow the ransomware operators to access the network, steal unencrypted files, and then deploy their ransomware to encrypt all of the network's machines. Network and security administrators need to be sure users on their network are educated adequately on Emotet spam campaigns and not open any suspicious documents. Furthermore, if a computer becomes compromised by Emotet, likely, they are also compromised by TrickBot. A full investigation should be launched, which includes assessing whether the infections have spread to other computers on the network. ### Related Articles: [New Bumblebee malware replaces Conti's BazarLoader in cyberattacks](https://www.bleepingcomputer.com/news/security/new-bumblebee-malware-replaces-contis-bazarloader-in-cyberattacks/) [The Week in Ransomware - May 20th 2022 - Another one bites the dust](https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-may-20th-2022-another-one-bites-the-dust/) [Conti ransomware shuts down operation, rebrands into smaller units](https://www.bleepingcomputer.com/news/security/conti-ransomware-shuts-down-operation-rebrands-into-smaller-units/) [The Week in Ransomware - May 13th 2022 - A National Emergency](https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-may-13th-2022-a-national-emergency/) [Costa Rica declares national emergency after Conti ransomware attacks](https://www.bleepingcomputer.com/news/security/costa-rica-declares-national-emergency-after-conti-ransomware-attacks/) [Conti](https://www.bleepingcomputer.com/tag/conti/) [Emotet](https://www.bleepingcomputer.com/tag/emotet/) [MalSpam](https://www.bleepingcomputer.com/tag/malspam/) [Ransomware](https://www.bleepingcomputer.com/tag/ransomware/) [Ryuk](https://www.bleepingcomputer.com/tag/ryuk/) [Spam](https://www.bleepingcomputer.com/tag/spam/) [TrickBot](https://www.bleepingcomputer.com/tag/trickbot/) [Windows](https://www.bleepingcomputer.com/tag/windows/) [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) ----- Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence s area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies. [Previous Article](https://www.bleepingcomputer.com/news/security/coinbase-blocked-twitter-hackers-from-stealing-an-extra-280k/) [Next Article](https://www.bleepingcomputer.com/news/microsoft/microsoft-will-disable-insecure-tls-in-office-365-on-oct-15/) ### Comments [R-K - 1 year ago](https://www.bleepingcomputer.com/forums/u/1137491/r-k/) Death sentences for creating and distributing the very destructive malware. Post a Comment [Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ### You may also like: -----