Emotet is perhaps the most successful malware in history. It has now caused enormous damage worldwide and has temporarily paralyzed and seriously damaged numerous companies and other institutions, especially in German-speaking countries. The malware is complex and is still under development. This article explains how Emotet works and provides a practical example.

There was a time when malware could easily be divided into general categories such as viruses, worms or Trojans. Nowadays, developments have advanced and the classical distinction is often no longer possible and the boundaries are blurred. Although thousands of malware appear every day and wreak havoc on the Internet for a certain period of time, some of them continue to spread successfully even after years because, on the one hand, they exploit vulnerabilities that are difficult to patch, and on the other hand, they act intelligently, in several stages and are constantly being improved.

Emotet falls into this category. Originally released as a banking Trojan, the malware was first discovered in 2014. It has since gone through several stages of evolution and is still active and extremely dangerous today.

When Emotet was first discovered, the malware attempted to intercept banking credentials as part of a man-in-the-browser attack. However, this was only a relatively harmless beginning. Since then, the pest has undergone significant development.

Since late 2018, it can read email contacts and even the contents of emails and use them to create new emails with credible content. The trick is that Emotet uses contacts from other infected systems and from there “replies” to an actual conversation via email, for example, in the form of fake invoices or messages from banks.

This means that victims will receive an email from one of their real contacts, whose response they may actually be waiting for. Even the subject, greeting and signature in the email are consistent with the previous message and hence make the fake email so credible that even wary users click on the link or attachment contained in the email.

Various well-known companies and organizations (including government agencies) have become victims of Emotet. In some cases, this resulted in a massive outage of IT infrastructure, which subsequently had to be significantly rebuilt to ensure integrity. Some examples of this will be discussed later in this article.

The method described is called "Outlook Harvest". In essence, this is a large-scale spam campaign that is not based on primitively formatted spam messages riddled with errors and distributed through botnets, but rather adapts so-called “APT attacks.” APT stands for Advanced Persistent Threat and describes a highly targeted and sophisticated attack on the IT infrastructure of high-value organizations in order to gain full access to sensitive data and systems.

Attackers often act in several stages and show great patience. APT is often not about simply injecting random malware or getting a “quick win” by collecting a few credit card details, but about gradually penetrating deeper into the target network and obtaining truly interesting information. The tools used are adapted to the respective purpose.

Emotet takes advantage of this concept by adapting and automating the APT approach. Already infected computers or user email agents (such as Outlook) search for contacts and email content to then create and send new emails with authentic content and manipulated links or attachments. When you click on links or open attachments, malicious code is installed, either through a drive-by download or, for example, through malicious macros in Office documents.

Emotet's approach is varied. The malware supports various infection methods and downloads various malware through an intermediate stage. In 2018, for example, according to experts, the Trickbot banking Trojan was frequently rebooted. This uses the well-known Mimikatz tool to obtain access data to other systems on the network (Windows) or access to other computers through SMB vulnerabilities such as Eternal Blue or Romance.

Widespread system failures occur at this stage. Due to constant changes in the malware downloaded, some of which is deeply embedded in compromised systems, it is often not recognized by antivirus programs, and even then a complete cleanup is often impossible, so a major reinstallation of the IT infrastructure is often required after an Emotet infection.

Apart from its original function as a banking Trojan, Emotet is capable of reloading any other malware. In addition to cryptominers, this includes, in particular, ransomware such as Ryuk. Once Emotet has established itself on the target network via Trickbot, Ryuk is deployed and the entire server landscape is encrypted to issue a ransom demand that will be paid in Bitcoin.

Malware is flexible, diverse, and subject to constant change and expansion. There's hardly one way to describe Emotet's approach. Therefore, here are some examples of known infections caused by Emotet.

Perhaps the most popular case is infection of a company’s IT infrastructure. It began on May 13, 2019, and was handled, documented, and presented to the public in an exemplary manner by the company so that other organizations could learn from it and prevent contamination.

That day, the employee opened what appeared to be a credible email and the attachment it contained. The Emotet dropper was able to install and establish itself on the employee's Windows system. Various malware were then reloaded and the company's network was infected. In some cases, AV programs also sounded the alarm, so a superficial cleaning was carried out.

However, it became clear that this did not resolve the cause when, after some time, the firewall log files showed various connections to Emotet servers on port 449/tcp. There were also suspicious calls to domain controllers in Active Directory. Essentially, Windows 10 systems whose users had administrator rights were compromised, and then the rest of Windows 7 systems.

The attempt to stop connections to the command and control servers was soon abandoned as new connections continued to be added. There was a complete quarantine and complete isolation of the company’s network from the Internet. The company itself estimates the actual costs at more than 50,000 euros.

In the past, Emotet has infected many companies, as well as government agencies, universities, hospitals, and other government agencies. In some cases, this led to production downtime and even quarantine, as a result of which services were not provided and employees had to be sent on forced leave.

First of all, it is important to take general basic security measures: installing current security updates, regular backups, and only allowing signed macros in MS Office. Regarding the latter, Microsoft has published recommendations on how Microsoft Office products can be securely configured to reduce the attack surface of companies. Alternatively, you can use, for example, LibreOffice, since macros do not work there.

The main gateway is credible phishing emails, as described at the beginning. While it may be difficult to identify such emails as fake, it is still possible as small details are often inconsistent and should raise suspicion among trained users. For example, it is suspicious if a response from a property management employee suddenly uses the same nickname as the user. In principle, attachments that are not explicitly requested should be distrusted, just like hyperlinks in an email.

The company attack example above made it clear that users should not operate with administrator rights. In addition, it is not recommended to save passwords in browsers, but to use a password manager instead. In this context, complex and strong passwords should be used for privileged accounts, as Emotet attempts to determine passwords using brute force methods. Where possible, two-factor authentication (2FA) should be implemented.

Another important security function in corporate networks is the control of Internet communications. This can be effectively achieved using next-generation firewalls, application gateways and proxies with associated content filtering and AV systems. These solutions, coupled with well-configured and maintained IDS/IPS or SIEM systems, provide an effective security measure.

Mainton Company - custom software development and testing, SEO and online advertising since 2004.