Table of Contents
Emotet is one of the most widely dispersed and actively developed malware families on the crimeware landscape today. Emotet is a Trojan that spreads through spam emails. It is a highly modular threat with a variety of payloads being delivered. Emotet began purely as a banking Trojan, but over the years, has continued to evolve. More recently, it has been associated with some larger-scale targeted Ryuk ransomware infections. The infection may arrive either through macro-enabled document files, malicious scripts, or malicious links. These campaigns change and evolve daily, and the supporting infrastructure also changes on a near constant basis. It is not uncommon to see Emotet reuse some of the command and control (C2) servers over more extended periods.
Emotet is polymorphic, and therefore hard to detect by signatures. It has several methods for maintaining persistence, including auto-start registry keys and services. Emotet is a Virtual Machine- ware and can generate false indicators if ran in a virtual environment.
How Emotet Spreads
Emotet is dispersed by email, using infected attachments, as well as embedded URLs. These emails may appear to come from trusted sources, as Trojans. Emotet takes over the email accounts of its victims. This helps trick users into downloading the Trojan onto their machine. If a connected network is present, Emotet spreads using a list of common passwords, guessing its way onto other connected systems in a brute-force attack. Another method of spreading emoted is through EternalBlue/DoublePulsar Vulnerabilities, which were responsible for the WannaCry and NotPetya attacks.
History of Emotet
Mealybug is a cybercrime actor that has been active since 2014. It was first identified by its use of its custom malware, Emotet. It appears to have changed its business model in recent times, evolving from targeting banking customers in Europe to using its infrastructure to act as a global packing and delivery service for other threat actors. In January 2015, mealybug started targeting Swiss Bank customers. The new version of Emotet has separate modules for its loader, email login theft, Distributed Denial of Service (DDoS) attack, malicious spam, and email login theft. Since 2018, Emotet Trojan consists of the ability to install other malware to infected machines including banking Trojans or malspam delivery services.
Negative consequences of Emotet infection include:
- Temporary or permanent loss of sensitive or proprietary information
- Disruption to regular operations
- Financial losses incurred to restore systems and files
- Potential harm to an organization’s reputation
The modular malware families like Emotet are going to continue to increase in popularity as time goes on. Emotet is looking to maximize their financial gain whenever possible, and at the same, minimize payloads that will have little return on investments. These types of changes will continue to keep Emotet near the top of the crime ware landscape.