Rise and fall of Emotet

Emotet was the most threatening malware in the world. This nightmare of cybersecurity specialists challenged millions of infected computers and caused more than $2 billion in losses. And now the sophisticated botnet is taken down. 

Emotet was known as a destructive cyber threat out there. And ANY.RUN sandbox faced it a lot. Only in 2020, Trojan had 33,604 uploads in our service. Today we will talk about this botnet and trace the history of malware to its very end. 

Top malware by uploads in 2019 and 2020

The most dangerous malware 

Emotet appeared as a banking Trojan in 2014. And just in 3 years, Emotet improved majorly – it acquired polymorphic nature and began distribution of other malware to the infected machines. Trojan constantly advanced its evasion techniques. During Emotet’s existence, the malware had added advanced features and developed into a giant service of malware spreading.

Attacks of Emotet’s latest versions were held worldwide. Malware got computers and networks infected with other malicious programs by hijacked emails to deceive a user. 

The rise of Emotet

For 6 years Emotet had been a number 1 threat and challenged companies security.  Here are some notable steps of Emotet’s development: 

  • 2014: Emotet was a typical banking Trojan. It stole data and spammed. Fabricated financial documents were decoys for small German organizations to get their credentials. 
  • Late 2014: Malware acquired the module structure but remained a standard Trojan. 
  • 2015: Emotet updated the public RSA key, new address lists, and RC4 encryption. 
  • 2016: The Trojan became a polymorphic malware. Emotet installed other malicious programs on the victim’s machine. The attacks spread worldwide. 
  • 2018: A lot of loud attacks happened that caused severe damage: Allentown lost $1 million after the infection, Frankfurt had to shut down the network, and later the whole world had become a target. And to perform these crimes crooks used the latest versions of Emotet.

Interestingly, the Emotet’s delivery method had stayed the same during the whole malware history. Malicious spam and documents including VBA macros were the usual way for the malware to spread. Once an attachment was opened, the Office document lured a user to enable the macro. Then the attached macro executed having different scenarios up its sleeve.

One more peculiar thing about Emotet is its maldocs’ templates. The malware designed its own variants and always made researchers alert for new ones. Usually, templates consisted of maldocs’ kits that had fake updates or other messages. They embedded VBA macro and created different execution chains. Pretending to be a trustworthy resource worked out quite well, as victims fell for this trick and didn’t hesitate to open malicious document to enable VBA macro.

There is a great template collection in ANY.RUN’s public submissions. We advise you to investigate them, type the emotet-doc tag to find the mentioned maldocs.

The fall of Emotet 

The malware was the king of cyber threats. Up to 2021, the largest botnet in the world had menaced companies from all spheres. But it took us by surprise that on January, 27th a lot of countries with Europol and Eurojust, cooperated to take control of the infrastructure responsible for Emotet. It took 2 years of preparation to disrupt the advanced malware. 

The global joint work has resulted in taking over every critical C2 server, which means that hundreds of servers across the world were located. The victims’ infected computers have been redirected towards the law enforcement-controlled infrastructure.  

Now it is reported that the authors were Ukrainian citizens. Unfortunately, their names are still concealed.

Law enforcement is sending an Emotet module to the victims. It will uninstall the malware on March 25th, 2021. Now it’s safe to say that the Emotet era is over. Chances of a malware comeback are slim to none.

How to recognize Trojans with ANY.RUN?

Cybersecurity awareness is the essential key for safety and an excellent way to avoid any kind of threats. Users should check their emails and not open messages and attachments. If you suspect it to be not trustworthy – welcome to ANY.RUN. The sandbox allows checking whether the file has malicious activity or not. 

Suricata rulesets allow detecting malicious programs successfully. Moreover, the “Fake Net” feature steps forward while working with Trojans. The function blocks HTTP requests and returns a 404 error. This action leaves no choice to malware but to show its C2 links. This approach helps us to collect malware’s IOCs.

If this topic is interesting for you, go ahead and read the post in the Malware trends tracker to learn more about the Emotet execution process, its characteristics, distribution methods, you can also collect IOCs and get samples.

Conclusion

If Emotet is destroyed for good, it may represent a serious issue for cybercriminals. The legal forces’ work introduced a new approach to the effective fight with malware actors. However, they can survive without Emotet. It’s inevitable, we will face something else. 

Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments