Operation ReachAround

Early this year, law enforcement and judicial authorities worldwide conducted a joint operation, named Operation Ladybird, which disrupted the EMOTET botnet. At the time the investigators have taken control of its infrastructure in an international coordinated action.

This operation was the result of a joint effort between authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada, and Ukraine, with international activity coordinated by Europol and Eurojust.

The law enforcement agency was able to take over at least 700 servers used as part of the Emotet botnet’s infrastructure. The FBI collected millions of email addresses used by Emotet operators in their malware campaigns as part of the cleanup operation.

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542. The infamous banking trojan was also used to deliver other malicious code, such as Trickbot and QBot trojans, or ransomware such as Conti, ProLock, Ryuk, and Egregor.

Now researchers from multiple cybersecurity firms ([Cryptolaemus], [GData], and [Advanced Intel]) reported that threat actors are using the TrickBot malware to drop an Emotet loader on infected devices. The experts tracked the campaign aimed at rebuilding the Emotet botnet using TrickBot’s infrastructure as Operation ReachAround.

Currently, experts have yet to report the use of the Emotet botnet to carry out the spamming campaign. Network administrators are recommended to IP addresses associated to this campaign to prevent infections with the reformed Emotet bot.

Malicious IP’s

• 1.234.21.73
• 103.109.247.13
• 103.109.247.8
• 103.109.247.9
• 103.127.67.38
• 103.140.207.110
• 103.142.10.177
• 103.161.172.108
• 103.164.180.66
• 103.233.25.228
• 103.238.203.82
• 103.253.107.153
• 103.253.107.155
• 103.253.107.156
• 103.253.107.198
• 103.30.247.116
• 103.52.135.61
• 103.73.102.174
• 103.74.143.53
• 103.8.26.102
• 103.8.26.103
• 103.80.54.34
• 103.82.248.59
• 103.87.173.60
• 103.94.0.178
• 104.130.140.69
• 104.248.178.90
• 107.170.64.97
• 108.55.14.158
• 111.230.104.169
• 111.235.66.83
• 111.250.51.232
• 114.79.130.68
• 116.203.55.59
• 116.206.153.212
• 116.90.234.82
• 117.248.109.38
• 121.199.35.69
• 122.117.90.133
• 122.129.203.163
• 123.252.190.14
• 124.41.211.17
• 125.234.128.250
• 128.199.192.135
• 128.199.206.91
• 128.199.232.159
• 128.201.76.252
• 131.100.24.199
• 134.209.182.12
• 136.143.11.232
• 136.228.128.21
• 136.228.129.179
• 136.232.34.70
• 137.74.112.43
• 138.197.109.175
• 139.255.199.196
• 139.59.59.242
• 142.4.219.173
• 142.44.247.57
• 142.93.218.86
• 144.76.1.150
• 144.76.42.74
• 148.235.154.164
• 148.251.238.52
• 153.126.165.175
• 158.69.118.130
• 159.224.167.102
• 159.65.3.147
• 162.214.106.107
• 162.214.127.16
• 162.214.188.105
• 163.172.50.82
• 164.68.99.3
• 167.172.119.42
• 168.197.250.14
• 170.238.117.187
• 171.235.33.211
• 173.21.10.71
• 176.100.4.31
• 176.28.17.160
• 177.138.142.97
• 177.37.161.136
• 177.72.80.14
• 177.75.5.222
• 177.87.0.7
• 178.128.197.110
• 178.128.23.9
• 178.128.83.165
• 178.238.236.59
• 178.254.33.197
• 178.33.123.234
• 178.33.13.40
• 178.62.205.130
• 178.79.147.66
• 178.79.150.86
• 18.195.23.231
• 181.112.49.170
• 181.129.167.82
• 181.143.251.154
• 181.188.180.243
• 181.189.221.250
• 181.211.247.43
• 182.253.106.35
• 182.253.210.130
• 185.148.168.220
• 185.148.168.25
• 185.164.32.148
• 185.168.130.138
• 185.184.25.237
• 185.30.32.33
• 185.56.219.47
• 185.94.172.15
• 186.250.48.123
• 186.4.193.75
• 187.121.88.3
• 188.40.100.254
• 189.135.61.226
• 190.145.83.98
• 190.183.237.119
• 190.197.55.254
• 190.61.46.106
• 190.73.3.148
• 191.252.196.221
• 192.99.150.39
• 194.1.193.11
• 196.44.98.190
• 198.199.70.22
• 198.199.98.78
• 198.61.167.176
• 200.201.185.194
• 200.83.98.31
• 201.148.20.37
• 202.144.203.140
• 202.29.239.161
• 202.51.122.163
• 202.58.199.82
• 203.173.94.162
• 204.174.223.210
• 207.148.81.119
• 207.154.208.93
• 207.180.220.242
• 207.246.112.221
• 209.210.95.228
• 210.57.217.132
• 211.172.241.52
• 212.112.86.37
• 212.175.98.171
• 212.237.17.99
• 213.136.86.165
• 213.190.4.223
• 216.10.251.121
• 216.108.227.55
• 216.177.161.118
• 216.238.71.31
• 217.79.184.243
• 220.255.25.187
• 23.160.193.106
• 24.152.219.253
• 24.162.214.166
• 24.32.202.68
• 31.220.49.39
• 36.37.99.242
• 36.66.188.251
• 36.67.97.127
• 36.89.98.183
• 36.91.36.29
• 36.92.59.93
• 36.95.110.19
• 37.187.115.122
• 37.247.35.130
• 37.59.103.148
• 43.225.69.20
• 43.229.206.212
• 43.229.206.214
• 43.229.206.244
• 43.252.158.104
• 45.201.134.202
• 45.33.20.41
• 45.33.33.91
• 45.56.121.87
• 45.79.33.48
• 45.79.91.89
• 45.9.20.200
• 45.90.108.123
• 46.101.182.168
• 46.101.90.205
• 46.99.175.217
• 5.182.210.132
• 5.199.162.48
• 5.34.74.210
• 5.39.99.208
• 5.9.14.91
• 50.116.62.25
• 51.178.161.32
• 51.178.61.60
• 51.254.140.238
• 51.77.82.110
• 51.83.3.52
• 51.91.76.89
• 52.73.70.149
• 54.191.98.150
• 54.37.106.167
• 54.37.202.209
• 54.37.70.105
• 54.37.84.240
• 54.38.143.246
• 54.39.98.141
• 61.19.116.53
• 62.210.200.63
• 62.64.9.237
• 66.175.217.172
• 66.42.55.5
• 69.64.50.41
• 71.74.12.34
• 72.252.201.34
• 73.151.236.31
• 74.63.218.139
• 75.169.58.229
• 75.176.235.182
• 77.232.163.203
• 79.143.186.143
• 80.211.40.191
• 85.88.174.94
• 87.97.178.92
• 89.107.190.111
• 89.137.52.44
• 91.121.134.180
• 91.207.28.33
• 91.235.129.8
• 91.243.125.5
• 91.83.88.122
• 92.38.128.47
• 93.188.167.97
• 94.28.78.200
• 95.110.160.239
• 96.37.113.36
• 97.107.134.115