Emotet Malware

What Is Emotet Malware?

Emotet (AKA Heodo and Geodo) is a modular family of polymorphic first-stage initial access malware first discovered in 2014. It is considered one of the world's most dangerous malware strains due to its numerous unique and evasive variants. Emotet began as a banking trojan, but since 2017 its capabilities have been limited to primarily acting as an initial access trojan for distributing top-tier second-stage malware and ransomware such as Conti, Ryuk, Trickbot, and Qakbot.

Emotet is attributed to an initial access broker (IAB) group known as TA542 (AKA, Mummy Spider and MealyBug) which operates a highly successful Malware-as-a-Service (MaaS) criminal enterprise. Before 2015 Emotet was publically sold on dark-net forums but is now only available privately to TA542's close affiliates. Restricting Emotet's availability allows it to be deployed more strategically and makes it harder for security researchers to analyze the most recent version and develop countermeasures.

2021 was an especially eventful year for Emotet. In January 2021, a combined international effort including EUROPOL and the FBI cracked down on Emotet botnet operators; however, Ukrainian police announced the arrest of only two suspects. The joint law-enforcement effort also deployed a solution to uninfected Emotet's zombie botnet victims by pushing an update directing the malware uninstall itself. However, by November 2021, Emotet emerged again with new variants and techniques, quickly returning its botnet to full functionality.

As a first-stage malware, Emotet is distributed via phishing and malspam campaigns employing a wide variety of social engineering contexts such as overdue invoices, package delivery notices, COVID-19 alerts, and banking themes to entice victims into executing a weaponized email attachment or URL-linked payload. Emotet payloads are often embedded in Microsoft Office documents, but Emotet has also been contained in PDF files, executables and scripts, compressed ZIP archives, and other novel attack vectors.

Emotet payloads are known to use virtually every known exploit and many undisclosed "zero-day" exploits to stay one step ahead of security researchers. Once installed, Emotet can brute-force passwords, steal user credentials from all major browser and email clients, and maintain persistence. Emotet also has worm-like lateral movement capabilities within a local network and self-update features that allow it to import new modules. To evade detection, Emotet uses randomly generated filenames and periodically changes the location and name of its .exe executable and associated Windows Autorun registry keys that ensure it automatically starts when the infected system is rebooted.

Emotet's most effective techniques include the following:

  • Analyzing stolen information to develop social engineering contexts 
  • Appending messages with trojanized attachments to existing conversations in compromised email accounts
  • Avoiding detection from security products that block known malicious URLs by using hacked websites to host its first-stage payloads 
  • Using their victim's Microsoft accounts to spreads via OneDrive links to avoid being blocked
  • Mimicking the brand image of major companies to deliver fake invoices, delivery information, or fake job offers
  • Attempting to extort money from victims with coercive "sextortion" malspam
  • Using stolen credentials to spread via SMB service vulnerabilities
  • Using 64-bit shellcode and PowerShell to execute and install second-stage payloads

Signs of an Emotet Attack

As with any documents originating from an unknown source, using VBA macros usually indicates a malware attack. However, Emotet's most stealthy variants have used previously unknown vulnerabilities other than VBA macros to compromise its victims. Email attachments that use uncommon file extensions (such as .js, .ico, or .lnk) may indicate an Emotet attack. Also, since Emotet avoids detection by using randomized filenames, discovering an executable file composed of random characters could indicate an Emotet infection.

How to Prevent an Emotet Attack

Efforts to prevent an Emotet attack can be supported with heightened user awareness of social engineering and phishing attacks. However, it is also important to install, configure, and regularly update endpoint security products and update all operating systems, services and applications across an organization's entire IT environment as soon as possible after their release. BlackBerry™ Cyber Suite products are continuously updated to protect your environment against the newest version of the Emotet Trojan.

Here are the most effective strategies for preventing an Emotet attack:

  • Configure email clients to notify users when emails originate from outside the organization
  • Consider user awareness training to educate personnel about phishing techniques and develop standard operating procedures (SOP) for handling suspicious emails and documents
  • Recognize the increased risk that encrypted files present and verify the context of such documents thoroughly before opening them
  • Use a content proxy to monitor internet usage and restrict user access to suspicious or risky sites
  • Ensure that only authorized, digitally signed software is installed on all endpoints and regularly scan for and block any unauthorized software from executing
  • Ensure Office applications are configured with Disable all macros without notification or Disable all except digitally signed macros settings
  • Pay special attention to warning notifications in email clients and Office applications that can alert you to suspicious contexts, such as files that have not been scanned for malware or contain VBA macros
  • Install and configure endpoint security products that will scan encrypted documents immediately after they are unencrypted
  • Implement Zero Trust solutions wherever possible, giving priority to critical systems 
 CylanceOPTICS® provides on-device threat detection and remediation using artificial intelligence (AI) to prevent security incidents with root cause analysis, smart threat hunting, and automated detection and response capabilities. Our Endpoint Detection and Response (EDR) approach effectively eliminates response latency. It can be the difference between a minor security incident and a widespread, uncontrolled event.