Emotet

Emotet is a kind of malware originally designed as a banking Tɾojan aimed at stealing financial data, but it’s evolved to become a major threat to users everywhere.

Let’s talk Emotet malware

You may have heard about Emotet in the news. What is it: Ancient Egyptian king, your teenage sister’s favorite emo band? We’re afraid not.

The Emotet banking Trojan was first identified by security researchers in 2014. Emotet was originally designed as a banking malware that attempted to sneak onto your computer and steal sensitive and private information. Later versions of the software saw the addition of spamming and malware delivery services—including other banking Trojans.

Emotet uses functionality that helps the software evade detection by some anti-malware products. Emotet uses worm-like capabilities to help spread to other connected computers. This helps in distribution of the malware. This functionality has led the Department of Homeland Security to conclude that Emotet is one of the most costly and destructive malware, affecting government and private sectors, individuals and organizations, and costing upwards of $1M per incident to clean up.

What is Emotet?

Emotet is a Trojan that is primarily spread through spam emails (malspam). The infection may arrive either via malicious script, macro-enabled document files, or malicious link. Emotet emails may contain familiar branding designed to look like a legitimate email. Emotet may try to persuade users to click the malicious files by using tempting language about “Your Invoice,” “Payment Details,” or possibly an upcoming shipment from well-known parcel companies.

Emotet has gone through a few iterations. Early versions arrived as a malicious JavaScript file. Later versions evolved to use macro-enabled documents to retrieve the virus payload from command and control (C&C) servers run by the attackers. 

“Emotet is polymorphic, which means it can change itself every time it is downloaded, evading signature-based detection.”

Emotet uses a number of tricks to try and prevent detection and analysis. Emotet is polymorphic, which means it can change itself every time it is downloaded to evade signature-based detection. Moreover, Emotet knows if it’s running inside a virtual machine (VM) and will lay dormant if it detects a sandbox environment.

Emotet also uses C&C servers to receive updates. This works in the same way as the operating system updates on your PC and can happen seamlessly and without any outward signs. This allows the attackers to install updated versions of the software, install additional malware such as other banking Trojans, or to act as a dumping ground for stolen information such as financial credentials, usernames and passwords, and email addresses.

Latest Emotet news

Emotet on the rise with heavy spam campaign
Malware analysis: decoding Emotet, part 2
Malware analysis: decoding Emotet, part 1
Trojans: What’s the real deal?

How does Emotet spread?

The primary distribution method for Emotet is through malspam. Emotet ransacks your contacts list and sends itself to your friends, family, coworkers and clients. Since these emails are coming from your hijacked email account, the emails look less like spam and the recipients, feeling safe, are more inclined to click bad URLs and download infected files.

If a connected network is present, Emotet spreads using a list of common passwords, guessing its way onto other connected systems in a brute-force ­attack. If the password to the all-important human resources server is simply “password” then it’s likely Emotet will find its way there.

Another method that Emotet uses to spread is through the EternalBlue/DoublePulsar vulnerabilities, which were responsible for the WannaCry and NotPetya attacks. These attacks take advantage of vulnerabilities in Windows that can allow the installation of malware without human interaction.
This ability to self-replicate, like a type of malware we call a worm, causes endless headaches for network administrators across the globe as Emotet spreads itself from system to system.

What is the history of Emotet?

First identified in 2014, Emotet continues to infect systems and hurt users to this day, which is why we’re still talking about it, unlike other trends from 2014 (Ice Bucket Challenge anyone?).

Version one of Emotet was designed to steal bank account details by intercepting internet traffic. A short time after, a new version of the software was detected. This version, dubbed Emotet version two, came packaged with several modules, including a money transfer system, malspam module, and a banking module that targeted German and Austrian banks.

“Current versions of the Emotet Trojan include the ability to install other malware to infected machines. This malware may include other banking Trojans or malspam delivery services.”

By January of 2015, a new version of Emotet appeared on the scene. Version three contained stealth modifications designed to keep the malware flying under the radar and added new Swiss banking targets.

Fast forward to 2018: Current versions of the Emotet Trojan include the ability to install other malware to infected machines. This malware may include other banking Trojans or malspam delivery services.

Who does Emotet target?

Everyone is a target for Emotet. To date, Emotet has hit individuals, companies, and government entities across the United States and Europe, stealing banking logins, financial data, and even Bitcoin wallets.

One noteworthy Emotet attack on the City of Allentown, PA, required direct help from Microsoft’s incident response team to clean up and reportedly cost the city upwards of $1M to fix.

Now that Emotet is being used to download and deliver other banking Trojans, the list of targets is potentially even broader. Early versions of Emotet were used to attack banking customers in Germany. Later versions of Emotet targeted organizations in Canada, the United Kingdom, and the United States.

“One noteworthy Emotet attack on the City of Allentown, PA required direct help from Microsoft’s incident response team to clean up and reportedly cost the city upwards of $1M to fix.”

How can I protect myself from Emotet?

You’re already taking the first step towards protecting yourself and your users from Emotet by learning how Emotet works. Here’s a few additional steps you can take:

  1. Keep your computer/endpoints up-to-date with the latest patches for Microsoft Windows. Emotet may rely on the Windows EternalBlue vulnerability to do its dirty work, so don’t leave that back door open into your network.
  2. Don’t download suspicious attachments or click a shady-looking link. Emotet can’t get that initial foothold on your system or network if you avoid those suspect emails. Take the time to educate your users on how to spot malspam.
  3. Educate yourself and your users on creating a strong password. While you’re at it, start using two-factor authentication.
  4. You can protect yourself and your users from Emotet with a robust cybersecurity program that includes multi-layered protection. Malwarebytes business and premium consumer products detect and block Emotet in real-time.  

How can I remove Emotet?

If you suspect you’ve already been infected by Emotet, don’t freak out. If your computer is connected to a network—isolate it immediately. Once isolated, proceed to patch and clean the infected system. But you’re not done yet. Because of the way Emotet spreads across your network, a clean computer can be re-infected when plugged back into an infected network. Clean each computer on your network one-by-one. It’s a tedious process, but Malwarebytes business solutions can make it easier, isolating and remediating infected endpoints and offering proactive protection against future Emotet infections.

If knowing is half the battle, head on over to the Malwarebytes Labs and you can learn more on how Emotet evades detection and how Emotet’s code works.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Select your language