Malware analysis

Malware Spotlight: What are Emotets?

December 23, by Greg Belding

Introduction

When some first hear the name Emotet, they may think they’re are hearing the name of the villain from the latest bad mummy movie. But Emotets may be considered even more scary than the ancient pariah of horror movies — especially when you find out just how much damage this emerging threat can cause.

This article will explore the type of malware known as Emotet. We’ll look at what it is and shed some light on how this threat works, the history of Emotet and the impact that Emotet can cause. We’ll also give some tips on how to limit the effect of an Emotet infection.

What is Emotet?

Emotet is a banking Trojan that was first discovered in and was originally focused on stealing financial information from users of compromised systems, including credit card information, banking information and more. It is not just another information-stealing Trojan, but a major threat that has already garnered some serious attention.

In July of, the U.S. Department of Homeland Security issued an alert about Emotet, describing it as an advanced, modular banking Trojan which acted as a dropper or downloader of other malware, including banking Trojans. This alert warned that Emotet can evade signature-based detection and is intent on spreading itself, making it very difficult to combat. Homeland Security does not issue alerts for every malware that rears its ugly head, which further distinguishes this relatively new type of malware. This alert can be read here.

How does Emotet work?

This modular banking Trojan spreads through malware spam emails, or malspam, and can infect Windows systems with malicious scripts, malicious embedded links and macro-enabled documents. These malicious files are stored on a command-and-control (C2) server and are available whenever Emotet needs them.

Emotet uses familiar email branding to trick unsuspecting users. Couple this with enticing language such as “Your Order” or “Your Invoice” and you have a recipe for disaster (or infection).

After the infection has taken hold, Emotet uses a combination of network propagation, persistence and downloading/dropping of other malware to complete its infection of not only the compromised machine but the whole network. Some common examples of other malware Emotet has been known to install on compromised systems include Ryuk and TrickBot.

One of the most difficult things about Emotet is its ability to reinfect systems. When it has been cleaned from an infected machine, it is known to reinfect the machine and further spread this infection around the network.

Another difficult aspect about it is its top-flight ability to spread itself. The current version of Emotet uses five different spreader modules: WebBrowserPassView, NetPass.exe, MailPassView, a credential enumerator and an Outlook scraper.

The history of Emotet

Emotet has experienced rapid changes since its inception in, making it — in the words of DHS — very challenging to combat. The changes between Emotet versions has been so drastic that each new version may seem like different malware altogether. Version one of this malware focused on stealing sensitive banking information by way of intercepting internet traffic of the compromised system.

Emotet version 2 followed soon afterwards and offered some major changes. These changes included the addition of several modules including a malspam module, a money transfer system and a banking module.

Version 3 first appeared in January of. This version offered extended stealth capabilities to avoid detection and some modules aimed at the Swiss banking community.

The next version of Emotet did not appear until, when it began installing other malware and ransomware onto compromised Windows systems. The most recent Emotet version was born in September of and came with enhanced botnet capabilities that would download Emotet from an infected WordPress site when an infected document is opened.

The impact of Emotet

The negative impact that an Emotet infection can cause is no small potatoes by any means. This impact includes, but is not limited to:

Tips for limiting the effect of Emotet

Emotet is a serious threat but rest assured that you can make moves to limit the effect an infection may have on your organization. Remember — an ounce of prevention is worth a pound of cure.

Below is a list of preventive measures that may stop an infection before it happens:

Due to the hyper-infectious nature of Emotet, where reinfection is always possible, Windows systems need to be immediately isolated and wiped clean before they can rejoin a network. It cannot be stated enough that this trait of the malware makes it one of the worst types of malware in existence.

Conclusion

Emotet is a modular banking Trojan that transcends the bounds of normal Trojans and is in a league of its own. After infection, Emotet can quickly spread to other systems in the network, download other malware and reinfect a compromised system after removal.

This malware may seem just like another Trojan at first, but scratch beneath the surface and you will have a better idea of its sophistication.

Sources

  1. Emotet, Malwarebytes
  2. What is Emotet? And how to guard against this persistent Trojan malware, CSO
  3. Trojan.Emotet, Malwarebytes Blog