What is Emotet?

Trojan horse on a red laptop screen with blind justice in front of it
(Image credit: Shutterstock)

Emotet, a notoriously stealthy malware, was first discovered in 2014. An early version of the banking trojan intercepted internet traffic to steal credentials.

Between 2016 and 2017, hackers reprogrammed Emotet to function as a loader, allowing its operators to download payloads or executable code onto infected hosts.

In 2020, Emotet’s attacks became global with its authors resorting to Trickbot and Qbot - Windows-based trojans - to infiltrate banking networks. A botnet of compromised machines was also set up to sustain the attacks.

What's more, access to hijacked computers and devices was sold in an infrastructure-as-a-service offering, a practice more commonly known as malware-as-a-service in the cyber security industry.

Althugh the Emotet botnet was disrupted by Europol in January 2021, which saw investigators seize control of several hundred servers that comprised Emotet’s infrastructure, it has since made a surprise return.

How does Emotet spread?

As of 2021, Emotet can bypass signature-based detection and propagate through five known installers: NetPass.exe, Outlook scraper, credential enumerator, Mail PassView, and WebBrowserPassView.

Here’s a run-down of each spreader module.

1. NetPass.exe: Captures network passwords stored on a system or external drives

2. Outlook scraper: Harvests email addresses and names from victims' Outlook accounts to send phishing emails from compromised accounts

3. Credential enumerator: Combines bypass and service modules into one self-extracting RAR file. The bypass component identifies network resources by locating writable share drives through server message blocks (SMB) protocol or brute-forcing an administrator's account. Upon finding the target system, the service component writes Emotet onto the disk.

4. Mail PassView: Forwards passwords and account details of email clients including Mozilla Thunderbird, Hotmail, Yahoo, and Gmail to the credential enumerator module

5. WebBrowserPassView: Gathers passwords stored in browsers, including Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera for use by the credential enumerator module

How stealthy is Emotet?

By and large, hackers inject Emotet through malspam- emails with malicious attachments or links- that mimic legitimate business communications and marketing campaigns.

For instance, a July 2018 Emotet malspam campaign of masqueraded PayPal receipts, shipping notifications, and outstanding multi-state information sharing and analysis center (MS-ISAC) invoices. After an unsuspecting user opens or clicks a malspam attachment, Emotet penetrates local networks through built-in spreader modules.


2021 state of email security report: Ransomware on the rise

Securing the enterprise in the COVID world


Among Emotet's defining traits are tenacity and endurance. Several applications share dynamic link libraries (DLL), allowing Emotet to adapt and renew its capabilities constantly. Additionally, Emotet generates random files that emulate Windows services in the system root directory. Execution of these services propagates malware throughout the network.

Attacks via Emotet can also result in permanent loss of confidential or proprietary information, service interruptions, high replacement costs, and negative publicity for an organization.

What are some ways to combat Emotet?

MS-ISAC and the national cyber security and communications integration center (NCCIC) recommend the following countermeasures against Emotet:

1. Revisit Group Policy settings

Windows’ Group Policy feature lets administrators configure and update operating systems, applications, and users' settings from a centralized location. A group policy object (GPO) refers to settings configured using the group policy editor in the Microsoft Management Console (MMC).

GPOs may also be used to create a Windows Firewall policy that restricts one of Emotet's access points: inbound SMB traffic. The protocol allows shared access to files, printers, and serial ports across a network.

2. Enable automatic antivirus updates

Keep your antivirus programs up-to-date by ensuring auto-updates to the software. A good precaution is to block file attachments commonly associated with malware, such as .exe and .dll files, and that antivirus software cannot scan, such as .zip files.

3. Implement filters for emails

A malspam filter on the email gateway can help shield against spam messages with malicious content and block potentially rogue IP addresses. Organizations may also mark external emails with a banner or icon to indicate their origin.

Businesses can also deploy domain-based message authentication, reporting, and conformance (DMARC), a security system that uses domain name system (DNS) records and digital signatures to detect email spoofing.

4. Train employees

Employee education goes a long way toward preventing targeted Emotet attacks. Cyber security experts recommend companies instruct their employees not to open suspicious emails, post sensitive data online, or respond to unsolicited emails requesting personal information.

How do you respond to an Emotet attack?

Malware variations can complicate security, reducing its effectiveness over time. If your system or network has been compromised, NCCIC and MS-ISAC recommend the following measures.

Using an antivirus program, assess system vulnerabilities and isolate the infected workstation. Avoid logging into the infected system using domain or local administrator credentials.

If multiple workstations are infected, the following steps are advised:

  1. Disconnect infected machines from the network
  2. Temporarily disable the network to prevent the malware from spreading
  3. Reexamine existing systems for Emotet indicators and move those unaffected to a separate local area network
  4. Reset passwords for domain and local accounts, including any applications stored on the compromised machines

Post attack, Emotet resets Outlook’s default settings to auto-forward all emails to an external address, leaving your data vulnerable. It is, therefore, crucial to review log files and Outlook settings to determine the initial access point or malware source.

Recent Emotet developments

A coordinated global action dubbed "Operation Lady Bird" brought down Emotet in January 2021. A total of eight countries contributed to the mission, including France, Lithuania, Netherlands, and the United States. With support from European Union Agency for Criminal Justice Cooperation (Eurojust) and European Union Agency for Law Enforcement Cooperation (Europol), global police forces in Germany and Ukraine shut down Emotet's servers, which led to arrests.

While the threat has been neutralized, it is advisable to take precautions to counter variants and replicas.

“A combination of both updated cybersecurity tools (antivirus and operating systems) and cybersecurity awareness is essential to avoid falling victim to sophisticated botnets like EMOTET,” explained Europol in a press release.

“Users should carefully check their email and avoid opening messages and especially attachments from unknown senders. If a message seems too good to be true, it likely is and emails that implore a sense of urgency should be avoided at all costs.”

However, in November 2021, multiple security researchers observed that the notorious malware strain is back in the wild and infecting systems. The researchers claimed that the new version of Emotet is being distributed by Trickbot; while in the past Emotet installed TrickBot, the threat actors are now using a method dubbed "Operation Reacharound" to rebuild the Emotet botnet using TrickBot's existing infrastructure.

"It appears that Emotet is now delivered in systems already compromised by TrickBot, " said Nikos Mantas, incident response expert at Obrela Security Industries. "This change in the delivery of the payload displays a new mindset by the attackers themselves. Instead of sending malicious emails and risking triggering any defence mechanisms, Emotet now is opting for stealthier delivery inside already infected systems. If Trickbot has gone unnoticed, then Emotet should be as well."