Emotet – From Banking Trojan to the Largest Botnet

Author: Itay Bochner

Summary

Emotet’s name has appeared in the news quite often recently after a long period under the radar, especially in the context of widespread ransomware attacks and advanced phishing campaigns. It is an advanced Trojan commonly distributed using email attachments and links that, once clicked, launches the payload. Emotet is functioning as a dropper for other malware.

What makes Emotet so special that it has become the largest botnet used by threat actors?

To understand that we will start from the beginning...

Emotet Explained

Emotet was first identified in 2014 when customers of German and Austrian banks were affected by the Trojan. It was developed as a simple Trojan with the ability to steal sensitive and private information. As it evolved it gained more functionalities, such as spamming and malware delivery services (a Dropper) that, after infecting a PC, installed other malware. Usually the following programs are dropped:

• TrickBot - A Banking Trojan that attempts to gain access to the login data of bank accounts.
• Ryuk : A Ransomware that encrypts data and blocks the user of the computer from accessing this data or the entire system.

Emotet spreads with worm-like features via phishing email attachments or links that load a phishing attachment. After being opened, Emotet works to spread throughout a network by guessing admin credentials and using them to remotely write to shared drives using the SMB file-sharing protocol, which gives the attacker the ability to move laterally through a network.

According to US-CISA :

Emotet is an advanced Trojan primarily spread via phishing email attachments and links that, once clicked, launch the payload (Phishing: Spearphishing Attachment [T1566.001], Phishing: Spearphishing Link [T1566.002]).The malware then attempts to proliferate within a network by brute forcing user credentials and writing to shared drives (Brute Force: Password Guessing [T1110.001], Valid Accounts: Local Accounts [T1078.003], Remote Services: SMB/Windows Admin Shares [T1021.002]).

The above emphasizes why Emotet is difficult to prevent, because of its special evasion techniques and “worm-like” features that enables it to autonomically spread laterally within the network.

Another key feature is that Emotet uses modular DLLs (Dynamic Link Libraries) to continuously evolve and update its capabilities.

Recent Activity

There have been numerous reports indicating a large increase in the use of Emotet

• Detected attacks using the Emotet Trojan soared by over 1200% from Q2 to the third quarter of this year, supporting a surge in ransomware campaigns, according to the latest data from HP Inc.
  (https://www.infosecurity-magazine.com/news/ransomware-alert-as-emotet/)
• Since July 2020, CISA has seen increased activity involving Emotet-associated indicators. During that time, CISA’s EINSTEIN Intrusion Detection System, which protects federal, civilian and executive branch networks, has detected roughly 16,000 alerts related to Emotet activity.
  (https://us-cert.cisa.gov/ncas/alerts/aa20-280a)
• Microsoft, Italy, and the Netherlands last month warned of a spike in Emotet malicious spam activity, which came a few weeks after France, Japan and New Zealand issued their alerts over Emotet.
  (https://www.zdnet.com/article/us-warns-big-surge-in-emotet-malware-campaigns-makes-it-one-of-todays-top-threats/)
• In recent weeks, we have seen significantly more Emotet Malspam
  (https://unit42.paloaltonetworks.com/emotet-thread-hijacking/)

What is quite unique in Emotet’s behavior during this new wave is the change of Emotet’s spam campaigns, which are now also leveraging password-protected ZIP files instead of Office documents.

The idea is that by using password-protected files, email security gateways can't open the archive to scan its content and won't see traces of Emotet malware inside.

Palo Alto Networks also published a new technique used by Emotet called Thread Hijacking. It is an email attack technique that utilizes legitimate messages stolen from infected computers’ email clients. This Malspam spoofs a legitimate user and impersonates a reply to the stolen email. Thread hijacked Malspam is sent to addresses from the original message.

OPSWAT offers preventative solutions that can defend your organization from being attacked with Emotet. Our solutions help organizations prevent Emotet from getting into networks.

Email Gateway Security stops phishing attacks

Secure Access helps with compliance validation

MetaDefender Core with Deep CDR (Content Disarm and Reconstruction) provides file upload security protection using.

For more information, contact us today.

References

https://us-cert.cisa.gov/ncas/alerts/aa20-280a

https://www.zdnet.com/article/us-warns-big-surge-in-emotet-malware-campaigns-makes-it-one-of-todays-top-threats/

https://arstechnica.com/information-technology/2020/10/dhs-warns-that-emotet-malware-is-one-of-the-most-prevalent-threats-today/