{"id":1325,"date":"2021-02-05T06:02:36","date_gmt":"2021-02-05T06:02:36","guid":{"rendered":"\/cybersecurity-blog\/?p=1325"},"modified":"2024-07-24T07:55:00","modified_gmt":"2024-07-24T07:55:00","slug":"rise-and-fall-of-emotet","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/rise-and-fall-of-emotet\/","title":{"rendered":"Rise and Fall of Emotet"},"content":{"rendered":"\n<p class=\"has-normal-font-size\">Emotet was the most threatening malware in the world. This nightmare of cybersecurity specialists challenged millions of infected computers and caused more than $2 billion in losses. And now the sophisticated botnet is taken down.&nbsp;<\/p>\n\n\n\n<p>Emotet was known as a destructive cyber threat out there. And <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=in_house&amp;utm_content=emotet\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"ANY.RUN sandbox (opens in a new tab)\">ANY.RUN sandbox<\/a> faced it a lot. Only in 2020, Trojan had 33,604 uploads in our service. Today we will talk about this botnet and trace the history of malware to its very end.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image is-style-default\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/qcmHuFPZSrLlOEvCM53_uz2RgnEH9cVXJmgnkLXbdXIAfkQm_TptGFIy8cNCmS_5Sqqr8qtcpoMdh0oKpCbO_14HABJLWeyunAYcEp6tBg-6zzO7_XknEVzuF14OhNAY8MQpt1bd\" alt=\"Top malware by uploads in 2019 and 2020 \"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>The most dangerous malware&nbsp;<\/strong><\/h2>\n\n\n\n<p>Emotet appeared as a banking Trojan in 2014. And just in 3 years, Emotet improved majorly &#8211; it acquired polymorphic nature and began distribution of other malware to the infected machines. Trojan constantly advanced its evasion techniques. During Emotet\u2019s existence, the malware had added advanced features and developed into a giant service of malware spreading.<br><\/p>\n\n\n\n<p>Attacks of Emotet\u2019s latest versions were held worldwide. Malware got computers and networks infected with other malicious programs by hijacked emails to deceive a user.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>The rise of Emotet<\/strong><\/h2>\n\n\n\n<p>For 6 years Emotet had been a number 1 threat and challenged companies security.&nbsp; Here are some notable steps of Emotet\u2019s development:&nbsp;<br><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>2014: Emotet was a typical banking Trojan. It stole data and spammed. Fabricated financial documents were decoys for small German organizations to get their credentials.&nbsp;<\/li>\n\n\n\n<li>Late 2014: Malware acquired the module structure but remained a standard Trojan.&nbsp;<\/li>\n\n\n\n<li>2015: Emotet updated the public RSA key, new address lists, and RC4 encryption.&nbsp;<\/li>\n\n\n\n<li>2016: The Trojan became a polymorphic malware. Emotet installed other malicious programs on the victim\u2019s machine. The attacks spread worldwide.&nbsp;<\/li>\n\n\n\n<li>2018: A lot of loud attacks happened that caused severe damage: Allentown lost $1 million after the infection, Frankfurt had to shut down the network, and later the whole world had become a target. And to perform these crimes crooks used the latest versions of Emotet.<\/li>\n<\/ul>\n\n\n\n<p>Interestingly, the Emotet\u2019s delivery method had stayed the same during the whole malware history. Malicious spam and documents including VBA macros were the usual way for the malware to spread. Once an attachment was opened, the Office document lured a user to enable the macro. Then the attached macro executed having different scenarios up its sleeve.<\/p>\n\n\n\n<p>One more peculiar thing about Emotet is its maldocs\u2019 templates. The malware designed its own variants and always made researchers alert for new ones. Usually, templates consisted of maldocs\u2019 kits that had fake updates or other messages. They embedded VBA macro and created different execution chains. Pretending to be a trustworthy resource worked out quite well, as victims fell for this trick and didn\u2019t hesitate to open malicious document to enable VBA macro.<\/p>\n\n\n\n<p>There is a great template collection in <a href=\"https:\/\/app.any.run\/submissions?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=in_house&amp;utm_content=emotet\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">ANY.RUN&#8217;s public submissions<\/a>. We advise you to investigate them, type the emotet-doc tag to find the mentioned maldocs.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/5qnZkq-LEW8AZSFjRcqiImcU9jcWx6a8USZBa9foNOcs3eGmVKY7QpAkF65Gl0PaElElo5FP25C3q7NyU-eSvSeUYGZABIS1RnrrT45lOw-5WEiVrkz-Wh86xo4gq4ZDey3mr2xm\" alt=\"Emotet maldoc templates\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>The fall of Emotet&nbsp;<\/strong><\/h2>\n\n\n\n<p>The malware was the king of cyber threats. Up to 2021, the largest botnet in the world had menaced companies from all spheres. But it took us by surprise that on January, 27th a lot of countries with Europol and Eurojust, cooperated to take control of the infrastructure responsible for Emotet. It took 2 years of preparation to disrupt the advanced malware.&nbsp;<br><\/p>\n\n\n\n<p>The global joint work has resulted in taking over every critical C2 server, which means that hundreds of servers across the world were located. The victims\u2019 infected computers have been redirected towards the law enforcement-controlled infrastructure.&nbsp;&nbsp;<br><\/p>\n\n\n\n<p>Now it is reported that the authors were Ukrainian citizens. Unfortunately, their names are still concealed.<br><\/p>\n\n\n\n<p>Law enforcement is sending an Emotet module to the victims. It will uninstall the malware on March 25th, 2021. Now it\u2019s safe to say that the Emotet era is over. Chances of a malware comeback are slim to none.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>How to recognize Trojans with ANY.RUN<\/strong>?<\/h2>\n\n\n\n<p>Cybersecurity awareness is the essential key for safety and an excellent way to avoid any kind of threats. Users should check their emails and not open messages and attachments. If you suspect it to be not trustworthy &#8211; welcome to ANY.RUN. The sandbox allows checking whether the file has malicious activity or not.&nbsp;<br><\/p>\n\n\n\n<p>Suricata rulesets allow detecting malicious programs successfully. Moreover, the &#8220;FakeNet&#8221; feature steps forward while working with Trojans. The function blocks HTTP requests and returns a 404 error. This action leaves no choice to malware but to show its C2 links. This approach helps us to collect malware\u2019s IOCs.<br><\/p>\n\n\n\n<p>If this topic is interesting for you, go ahead and read the post in the<a href=\"https:\/\/any.run\/malware-trends\/emotet\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\"> Malware trends tracker<\/a> to learn more about the Emotet execution process, its characteristics, distribution methods, you can also collect IOCs and get samples.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Conclusion<\/strong><\/h2>\n\n\n\n<p>If Emotet is destroyed for good, it may represent a serious issue for cybercriminals. The legal forces\u2019 work introduced a new approach to the effective fight with malware actors. However, they can survive without Emotet. It\u2019s inevitable, we will face something else.&nbsp;<br><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Emotet was the most threatening malware in the world. This nightmare of cybersecurity specialists challenged millions of infected computers and caused more than $2 billion in losses. And now the sophisticated botnet is taken down.&nbsp; Emotet was known as a destructive cyber threat out there. And ANY.RUN sandbox faced it a lot. Only in 2020, [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":8309,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[15],"class_list":["post-1325","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-history","tag-malware"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Rise and Fall of Emotet - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"The evolution of the most threatening malware in the world. Learn about the standard Trojan that evolved into a giant botnet.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/rise-and-fall-of-emotet\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/rise-and-fall-of-emotet\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/rise-and-fall-of-emotet\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Rise and Fall of Emotet\",\"datePublished\":\"2021-02-05T06:02:36+00:00\",\"dateModified\":\"2024-07-24T07:55:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/rise-and-fall-of-emotet\/\"},\"wordCount\":822,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"malware\"],\"articleSection\":[\"Malicious History\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/rise-and-fall-of-emotet\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/rise-and-fall-of-emotet\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/rise-and-fall-of-emotet\/\",\"name\":\"Rise and Fall of Emotet - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2021-02-05T06:02:36+00:00\",\"dateModified\":\"2024-07-24T07:55:00+00:00\",\"description\":\"The evolution of the most threatening malware in the world. Learn about the standard Trojan that evolved into a giant botnet.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/rise-and-fall-of-emotet\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/rise-and-fall-of-emotet\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/rise-and-fall-of-emotet\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malicious History\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/history\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Rise and Fall of Emotet\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Rise and Fall of Emotet - ANY.RUN&#039;s Cybersecurity Blog","description":"The evolution of the most threatening malware in the world. Learn about the standard Trojan that evolved into a giant botnet.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/rise-and-fall-of-emotet\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/rise-and-fall-of-emotet\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/rise-and-fall-of-emotet\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"Rise and Fall of Emotet","datePublished":"2021-02-05T06:02:36+00:00","dateModified":"2024-07-24T07:55:00+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/rise-and-fall-of-emotet\/"},"wordCount":822,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["malware"],"articleSection":["Malicious History"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/rise-and-fall-of-emotet\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/rise-and-fall-of-emotet\/","url":"https:\/\/any.run\/cybersecurity-blog\/rise-and-fall-of-emotet\/","name":"Rise and Fall of Emotet - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2021-02-05T06:02:36+00:00","dateModified":"2024-07-24T07:55:00+00:00","description":"The evolution of the most threatening malware in the world. Learn about the standard Trojan that evolved into a giant botnet.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/rise-and-fall-of-emotet\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/rise-and-fall-of-emotet\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/rise-and-fall-of-emotet\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malicious History","item":"https:\/\/any.run\/cybersecurity-blog\/category\/history\/"},{"@type":"ListItem","position":3,"name":"Rise and Fall of Emotet"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/1325"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=1325"}],"version-history":[{"count":3,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/1325\/revisions"}],"predecessor-version":[{"id":8282,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/1325\/revisions\/8282"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/8309"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=1325"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=1325"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=1325"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}