Emotet

Description

(Malwarebytes) Emotet is a Trojan that is primarily spread through spam emails (malspam). The infection may arrive either via malicious script, macro-enabled document files, or malicious link. Emotet emails may contain familiar branding designed to look like a legitimate email. Emotet may try to persuade users to click the malicious files by using tempting language about “Your Invoice,” “Payment Details,” or possibly an upcoming shipment from well-known parcel companies.

Emotet has gone through a few iterations. Early versions arrived as a malicious JavaScript file. Later versions evolved to use macro-enabled documents to retrieve the virus payload from command and control (C&C) servers run by the attackers.

Emotet uses a number of tricks to try and prevent detection and analysis. Notably, Emotet knows if it’s running inside a virtual machine (VM) and will lay dormant if it detects a sandbox environment, which is a tool cybersecurity researchers use to observe malware within a safe, controlled space.

Emotet also uses C&C servers to receive updates. This works in the same way as the operating system updates on your PC and can happen seamlessly and without any outward signs. This allows the attackers to install updated versions of the software, install additional malware such as other banking Trojans, or to act as a dumping ground for stolen information such as financial credentials, usernames and passwords, and email addresses.

Names

Name
Emotet
Geodo
Heodo

Category

Malware

Type

• Banking trojan
• Downloader
• Botnet

Information

• https://www.malwarebytes.com/emotet/
• https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/
• http://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/
• http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1
• https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-2.html
• https://www.spamhaus.org/news/article/783/emotet-adds-a-further-layer-of-camouflage
• https://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/
• https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/
• https://github.com/d00rt/emotet_research
• https://blog.kryptoslogic.com/malware/2018/08/01/emotet.html
• https://www.us-cert.gov/ncas/alerts/TA18-201A
• https://portswigger.net/daily-swig/emotet-trojan-implicated-in-wolverine-solutions-ransomware-attack
• https://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/
• https://blog.kryptoslogic.com/malware/2018/10/31/emotet-email-theft.html
• https://www.intezer.com/mitigating-emotet-the-most-common-banking-trojan/
• https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-droppers/
• https://research.checkpoint.com/emotet-tricky-trojan-git-clones/
• https://www.cert.pl/en/news/single/analysis-of-emotet-v4/
• https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor
• https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/
• https://persianov.net/emotet-malware-analysis-part-1
• https://persianov.net/emotet-malware-analysis-part-2
• https://int0xcc.svbtle.com/dissecting-emotet-s-network-communication-protocol
• https://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities-infrastructure/
• https://cloudblogs.microsoft.com/microsoftsecure/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/
• https://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/
• https://www.fidelissecurity.com/threatgeek/2017/07/emotet-takes-wing-spreader
• https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/
• https://malfind.com/index.php/2018/07/23/deobfuscating-emotets-powershell-payload/
• https://medium.com/@0xd0cf11e/analyzing-emotet-with-ghidra-part-1-4da71a5c8d69
• https://www.binarydefense.com/emotet-evolves-with-new-wi-fi-spreader/
• https://www.binarydefense.com/emotet-wi-fi-spreader-upgraded/
• https://www.bleepingcomputer.com/news/security/emotet-malware-now-steals-your-email-attachments-to-attack-contacts/
• https://blog.barracuda.com/2020/06/19/emotet-emerges-as-a-leader-in-maas/
• https://blog.malwarebytes.com/trojans/2020/07/long-dreaded-emotet-has-returned/
• https://www.bleepingcomputer.com/news/security/emotet-botnet-is-now-heavily-spreading-qakbot-malware/
• https://www.zdnet.com/article/a-vigilante-is-sabotaging-the-emotet-botnet-by-replacing-malware-payloads-with-gifs/
• https://www.deepinstinct.com/2020/08/12/why-emotets-latest-wave-is-harder-to-catch-than-ever-before/
• https://www.deepinstinct.com/2020/10/12/why-emotets-latest-wave-is-harder-to-catch-than-ever-before-part-2/
• https://www.binarydefense.com/emocrash-exploiting-a-vulnerability-in-emotet-malware-for-defense/
• https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return
• https://www.bleepingcomputer.com/news/security/emotet-malwares-new-red-dawn-attachment-is-just-as-dangerous/
• https://www.bleepingcomputer.com/news/security/epic-fail-emotet-malware-uses-fake-windows-10-mobile-attachments/
• https://www.zdnet.com/article/france-japan-new-zealand-warn-of-sudden-spike-in-emotet-attacks/
• https://www.bleepingcomputer.com/news/security/emotet-double-blunder-fake-windows-10-mobile-and-outdated-messages/
• https://unit42.paloaltonetworks.com/emotet-thread-hijacking/
• https://www.zdnet.com/article/microsoft-italy-and-the-netherlands-warn-of-increased-emotet-activity/
• https://www.proofpoint.com/us/blog/threat-insight/emotet-makes-timely-adoption-political-and-elections-lures
• https://us-cert.cisa.gov/ncas/alerts/aa20-280a
• https://www.darkreading.com/edge/theedge/emotet-101-how-the-ransomware-works----and-why-its-so-darn-effective/b/d-id/1339124
• https://www.zdnet.com/article/new-emotet-attacks-use-fake-windows-update-lures/
• https://www.bleepingcomputer.com/news/security/emotet-malware-now-wants-you-to-upgrade-microsoft-word/
• https://blog.malwarebytes.com/malwarebytes-news/2020/10/new-emotet-delivery-method-spotted-during-downward-detection-trend/
• https://www.bleepingcomputer.com/news/security/emotet-malware-wants-to-invite-you-to-a-halloween-party/
• https://cofense.com/variants-of-emotet-malware/
• https://blog.talosintelligence.com/2020/11/emotet-2020.html
• https://thehackernews.com/2020/11/anyrun-emotet-malware-analysis.html
• https://securelist.com/the-chronicles-of-emotet/99660/
• https://www.darkreading.com/threat-intelligence/emotet-campaign-restarts-after-seven-week-hiatus/d/d-id/1339792
• https://blog.malwarebytes.com/cybercrime/2020/12/emotet-returns-just-in-time-for-christmas/
• https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/
• https://blog.malwarebytes.com/threat-analysis/2021/01/cleaning-up-after-emotet-the-law-enforcement-file/
• https://threatpost.com/emotets-takedown-have-we-seen-the-last-of-the-malware/163636/
• https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf
• https://unit42.paloaltonetworks.com/attack-chain-overview-emotet-in-december-2020-and-january-2021/
• https://unit42.paloaltonetworks.com/emotet-command-and-control/
• https://blog.sonicwall.com/en-us/2021/04/emotet-and-trickbot-the-battle-of-the-botnets/
• https://www.troyhunt.com/data-from-the-emotet-malware-is-now-searchable-in-have-i-been-pwned-courtesy-of-the-fbi-and-nhtcu/
• https://www.advintel.io/post/corporate-loader-emotet-history-of-x-project-return-for-ransomware
• https://www.anomali.com/blog/mummy-spiders-emotet-malware-is-back-after-a-year-hiatus-wizard-spiders-trickbot-observed-in-its-return
• https://www.deepinstinct.com/blog/the-re-emergence-of-emotet
• https://www.bleepingcomputer.com/news/security/emotet-now-spreads-via-fake-adobe-windows-app-installer-packages/
• https://blog.malwarebytes.com/trojans/2021/12/emotets-back-and-it-isnt-wasting-any-time/
• https://www.cybereason.com/blog/threat-alert-the-return-of-emotet
• https://www.bleepingcomputer.com/news/security/emotet-starts-dropping-cobalt-strike-again-for-faster-attacks/
• https://www.mcafee.com/blogs/other-blogs/mcafee-labs/emotets-uncommon-approach-of-masking-ip-addresses/
• https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot
• https://unit42.paloaltonetworks.com/new-emotet-infection-method/
• https://thehackernews.com/2022/02/reborn-of-emotet-new-features-of-botnet.html
• https://www.cybereason.com/blog/threat-alert-emotet-targeting-japanese-organizations
• https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one
• https://www.fortinet.com/blog/threat-research/ms-office-files-involved-again-in-recent-emotet-trojan-campaign-part-ii
• https://blog.lumen.com/emotet-redux/
• https://cofense.com/blog/emotet-spoofs-irs-in-tax-season/
• https://blogs.cisco.com/security/emotet-is-back
• https://securelist.com/emotet-modules-and-recent-attacks/106290/
• https://www.fortinet.com/blog/threat-research/Trends-in-the-recent-emotet-maldoc-outbreak
• https://www.bleepingcomputer.com/news/security/emotet-botnet-switches-to-64-bit-modules-increases-activity/
• https://www.bleepingcomputer.com/news/security/emotet-malware-infects-users-again-after-fixing-broken-installer/
• https://www.proofpoint.com/us/blog/threat-insight/emotet-tests-new-delivery-techniques
• https://www.bleepingcomputer.com/news/security/emotet-malware-now-installs-via-powershell-in-windows-shortcut-files/
• https://blog.malwarebytes.com/cybercrime/malware/2022/04/emotet-fixes-bug-in-code-resumes-spam-campaign/
• https://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/
• https://www.trendmicro.com/en_us/research/22/e/bruised-but-not-broken—the-resurgence-of-the-emotet-botnet-malw.html
• https://www.bleepingcomputer.com/news/security/emotet-malware-now-steals-credit-cards-from-google-chrome-users/
• https://www.welivesecurity.com/2022/06/16/how-emotet-is-changing-tactics-microsoft-tightening-office-macro-security/
• https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return
• https://www.deepinstinct.com/blog/emotet-vacation-is-over-no-rest-for-the-wicked
• https://thehackernews.com/2022/11/all-you-need-to-know-about-emotet-in.html
• https://blogs.blackberry.com/en/2023/01/emotet-returns-with-new-methods-of-evasion
• https://cofense.com/blog/emotet-sending-malicious-emails-after-three-month-hiatus/
• https://www.deepinstinct.com/blog/emotet-again-the-first-malspam-wave-of-2023
• https://cofense.com/blog/the-evolution-of-emotet-malware/
• https://www.trendmicro.com/en_us/research/23/c/emotet-returns-now-adopts-binary-padding-for-evasion.html
• https://www.bleepingcomputer.com/news/security/emotet-malware-now-distributed-in-microsoft-onenote-files-to-evade-defenses/
• https://www.malwarebytes.com/blog/news/2023/03/beware-fake-irs-tax-email-delivers-emotet-malware
• https://www.welivesecurity.com/2023/07/06/whats-up-with-emotet/

Mitre Attack

• https://attack.mitre.org/software/S0367/

Malpedia

• https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet

Alienvault Otx

• https://otx.alienvault.com/browse/pulses?q=tag:Emotet

Playbook

• https://github.com/JPCERTCC/EmoCheck/
• https://pan-unit42.github.io/playbook_viewer/?pb=emotet

Other Information

Uuid

d4a0a8b0-b19e-4558-8292-d39ce17933fa

Last Card Change

2024-03-10