Emotet is a malware family that was first identified by cybersecurity specialists in 2014. In its earliest iterations, it functioned primarily as a banking trojan that attempted to steal financial credentials by intercepting a target system’s network traffic. In later iterations, malware authors took advantage of its persistence and ability to propagate across networks to adapt it into a robust delivery mechanism for spam and even other malware, including the Qakbot and Trickbot Trojans, as well as the Ryuk ransomware.

How Emotet works

Emotet’s initial attack vector was through malicious documents with macros which execute scripts that download an executable. These malicious documents were most frequently via email. These emails may have appeared to be sent by trusted sources because Emotet impersonated its victims by taking direct control of the email accounts. These emails imitated innocuous invoices, shipping notices, or even information regarding COVID-19.

Once a user unwittingly executed a malicious URL or attachment included in one of these emails, Emotet can spread rapidly by writing to shared drives and gaining access to user accounts. It will then spread by brute-forcing domain credentials and utilizing onboard spam modules to spam more victims.

Due to the way Emotet spreads through networks, any infected machines on the same network will re-infect machines that have already been cleaned whenever they rejoin the network. The main Emotet binary is challenging to detect statically because of its complex packer.

Emotet attempts a huge number of attacks for a few number of successful infections. Upon a successful infection, the threat actors are able to efficiently get a foothold within the network and deploy other malware or switch to manual attacks to achieve their objective.

History of Emotet

The Emotet Trojan was first identified by researchers in 2014. While its original iteration was engineered to steal banking information, later versions featured additional upgrades, including money transfer systems, improved stealth attributes, and botnet functionality. They also leaned more heavily on using it as a platform to propagate spam and other banking Trojans.

On compromised systems, the Emotet regularly established contact with its command-and-control servers for updates and renewed payloads. In addition to minor changes, major updates were applied in 2015, 2018, 2019, and 2020. The volume and frequency of these updates have made Emotet difficult to detect by more traditional, static malware analysis methods.

In January of 2021, a multinational operation comprising eight countries, and spearheaded by Europol (the European Union Agency for Law Enforcement Cooperation), resulted in the seizure and disruption of the Emotet botnet infrastructure. Additionally, the operation included the arrest of at least two individuals allegedly tasked with maintaining elements of the botnet in Ukraine.