Emotet: A veritable Swiss Army knife of malicious capabilities
Formerly just a banking Trojan, Emotet is now one of the most dangerous and multifaceted malware out there.
According to Malwarebytes, it and Trickbot are part of the reason why Trojans topped their list of most common business detections in 2018.
Emotet’s initial incarnation dates back to 2014 but, in the intervening years, it has become a veritable Swiss Army knife of malicious capabilities.
- Download additional malware (often Trickbot)
- Collect information about the system if finds itself on and the processes running on it
- Stealing passwords stored in email applications and browsers
- Send out spam and malicious emails
- Thanks to its worm component, spread itself to other computers on the same network
- Perform brute-force attacks against accounts
- Set up proxy servers to keep its activities undetected for longer
- Steal crypto-wallets.
Anton Wendel, Security Engineer at G DATA Advanced Analytics, says that Emotet has been developed very professionally for years and that there are days when up to 200 new variants are discovered.
The malware comes with many modules and not all of them are activated on all of the compromised hosts. The gathering of information about the compromised system allows its makers to decide which modules should be activated and the activation is performed by sending instructions from the C&C server.
Emotet’s creators eschew using exploit kits to deliver the malware. Instead, they are using the malware’s spam module to shoot out fake emails that will lead victims to it. As they have access to the address books on the system, they can try to recreate relationship networks so that the messages are tailored for the various targets.
“Emotet uses MAPI (Messaging Application Programming Interface) to do so,” G DATA researchers explained.
“These functions are loaded as a module in the same process as Emotet itself and are executed without saving a file to disk. This tactic makes detection more difficult. You could say that Emotet uses the concept of file-less malware for its different modules. After the work is done, the code is removed from memory to avoid scrutiny.”
Emotet spam campaigns ebb and flow. The malicious spam either includes infected attachments or embedded URLs and appears to come from trusted sources to their recipients. The infected attachment usually comes in the form of a Microsoft Word document with macros enabled, and the path of infection relies on the user.
Wendel advises business administrators to disable the execution of macros across the enterprise via a Group Policy and to use their own signed macros if they are absolutely necessary for business operations.
Plugging the EternalBlue/DoublePulsar vulnerabilities through which it spreads laterally is also a must.
US-CERT has also outlined general best practices to limit the effect of Emotet and similar malspam.
UPDATE (May 27, 2019, 11:55 p.m. PT): Malwarebytes has recently pointed out that it’s not Emotet which uses the EternalBlue exploit to spread laterally, but TrickBot, a payload frequently loaded by Emotet.