Emotet

Emotet is an extremely sophisticated and destructive banking Trojan used to download and install other malware. First recorded in 2014, Emotet has gained advanced capabilities over the course of its lifetime. Today Emotet is targeting governments, corporations, small businesses and individuals, focusing on Europe, America, and Canada.

  • Type
    Trojan
  • Origin
    Unknown
  • First seen
    1 June, 2014
  • Last seen
    22 November, 2019
Also known as
Heodo
Geodo
Global rank
1
Week rank
1
Month rank
1
IOCs
3841

What is Emotet Trojan?

Emotet is an extremely sophisticated and destructive banking Trojan used to download and install other malware. First recorded in 2014, Emotet has gained advanced capabilities over the course of its lifetime. Today Emotet is targeting governments, corporations, small businesses and individuals, focusing on Europe, America, and Canada.

So what makes Emotet virus so dangerous? Emotet can act like a worm and spread using local networks, which makes it extremely hard to clean-up. In addition to this, the Trojan has advanced persistence and anti-evasion mechanics, such as the ability to detect sandboxes and virtual machines with an option to generate false indicators to throw researches off. On top of that, the Trojan has a polymorphic design – meaning that it can change its code to bypass signature-based detection, making this cyber defense strategy useless against its’ attacks. If that wasn’t enough, Emotet can receive updates from the control server, performing this operation as if an operating system update is being installed. This allows the Trojan to drop additional malware onto the infected machine stealthily. It should also be noted that Emotet has a modular design which makes it possible to adapt this malware to various tasks and customize it for every particular campaign, giving the attackers the maximum flexibility.

General description of Emotet

The first version of Emotet malware which was spotted in the wild all the way back in 2014 was designed to steal banking credentials by intercepting internet traffic and was much more basic than the beast of a Trojan which we know today. When Emotet was first spotted in the wild, the malware targeted mainly banks from Germany and Austria using only its native information stealing toolset.

Version two followed shortly after, this time carrying several additional modules such as a money transfer, mail spam, DDoS and address book stealing modules. The third iteration of Emotet was released in 2015, this time focusing on upgrading the anti-evasion functionality of the malware and introducing banks from Switzerland into the list of potential victims.

The next overhaul of the Emotet malware followed in December 2016, changing the attack vector of the virus. At the beginning of its lifetime Version 4 heavily relied on the RIG 4.0 exploit kit to make its way into the victims' computers later switching primarily to mail spam. The same iteration of the malware also marked the moment when the primary use case of the malware started shifting from using its own banking module to dropping other Trojans onto infected machines.

Speaking of modules, Emotet can perform a large number of malicious activities that vary depending on the modules used in a particular campaign. Most versions of the virus included a spam module which can be used to continue the spread of the malware by sending out a series of malicious emails from the infected machine. Another normally included module is the one used for credential stealing, allowing Emotet to steal sensitive information from web browsers and mail clients.

Starting from 2017, Emotet began coming equipped with a spreader module, allowing the malware to infect all machines connected via a local network. The virus also gained the address book stealer module – this one is interesting. It analyzes the relationship between email senders and receivers and uses the collected information to enhance the effectiveness of subsequent campaigns originating from the users’ PC, allowing to target friends, family members and colleagues of the victim with personalized spam emails.

Not only does Emotet malware provide flexible functionality through the use of modules and has several anti-evasion functions, but it also puts a heavy emphasis on persistence. To ensure that the malware stays in the infected machine, it injects into running processes, often targeting the Explorer.exe. In addition to that, the malware uses Scheduled Tasks and makes registry keys changes.

It should be noted that the banking Trojan we are reviewing today is extremely destructive and its attacks can have several consequences, such as loss of private data, inability to operate the infected PC up to its complete disability and financial losses associated with restoring the infrastructure damaged by the malware. In fact, one company was forced to spend an excess of one million dollars to deal with the aftermath of an Emotet attack.

Emotet interactive analysis

A video recorded in the ANY.RUN malware hunting service displays the execution process of Emotet, allowing to examine the behaviour of this malware in a lot of detail.

emotet execution process tree

Figure 1: Displays the processes list generated by the ANY.RUN malware hunting service

text report of the emotet analysis

Figure 2: Even more information about the execution of Emotet can be found in customizable text reports generated by ANY.RUN

Emotet execution process

Considering that the primary way in which the Emotet banking trojan is distributed is malicious email spam campaigns, the first step in the chain of infection involves tricking the potential victim into opening an attached Microsoft Office file using social engineering. After the file has been opened and macros enabled, there is no need for additional user actions. Downloaded files contain malicious VBA code which runs after a document has been opened. One of the possible options of the infection process is when the VBA code utilizes WMI to launch a Powershell script which downloads the payload – a malicious executable file from the web server. Notably, the Powershell script is encoded. Emotet makes steps to maintain a presence in the infected system - it copies itself into %AppData% subfolders and changes the autorun value in the registry. Through all infection process, the malware sends information to and from a server. As the last execution step, Emotet waits for commands from C2 servers.

Prevention of Emotet attacks

To minimize the risk of Emotet virus infection and potential destruction if such infection does occur, users are advised to follow a set of standard best practices, such as not downloading files from suspicious emails and keeping an updated version of antivirus on the machine at all times.

For organizations, it is advised to restrict inbound SMB communication between client systems in order to prevent Emotet from spreading from one machine to another within the local network, provide security training for personnel and instruct employees about the danger of mail spam as well as take all possible precautions to filter out potentially malicious emails at firewall.

How does Emotet spread?

The main distribution method of Emotet malware is malicious email campaigns. The banking Trojan uses it’s address book stealer module to pull the contacts from the email account of its victim and send itself to found contacts from the hijacked account.

Bearing in mind that potential victims are receiving an email from somebody they know and trust, Emotet has a very high chance of a successful attack. The received email usually contains a link to a malicious URL that downloads the malware when clicked. However, email spam is not the only distribution Method that this malware utilizes. It may also take advantage of certain Windows vulnerabilities, thus the malware can make it’s way into a machine completely “silently”, without the user ever knowing about it.

How to collect more Emotet’s IOCs using ANY.RUN?

In your analysis of Emotet malware will be useful our feature "Fake Net". It intercepts HTTP requests and returns 404 error, forcing malware to reveal its C2 links.

To turn it on in "Advanced mode" of the "New task" window check the box next to the "Fake net" in the "Network" section.

fake net emotet Figure 3: Run emotet sample with turn on "Fake net" feature

Conclusion

Emotet malware is one of the most sophisticated and destructive Trojans that are currently active. Since its first introduction all the way back in 2014, the malware has underground a substantial evolution gaining a lot of anti-evasion features, obtaining worm-like functionality and even changing the main focus from information stealing to installing other Trojans onto infected machines. Thanks to the ability to spread to adjacent systems, Emotet can easily infect all machines in a single network, making dealing with the consequences of an attack a true nightmare. The situation is further worsened by the fact that the malware is equipped with a series of anti-evasion tricks that make analyzing it quite difficult. As a result, the process of developing countermeasures is much more complicated in comparison to more simple and straightforward Trojans.

Thankfully, modern online hunting services like ANY.RUN are equipped with equally advanced research functions and allow professionals to study cyber threats with the maximum efficiency, helping researchers to battle elusive malware like Emotet.

IOCs

IP addresses
83.169.33.157
209.97.168.52
50.116.86.205
172.104.233.225
144.139.247.220
149.202.197.94
104.131.11.150
104.239.175.211
37.187.2.199
46.101.7.140
60.250.141.134
222.239.249.166
178.63.78.150
198.46.150.196
186.23.132.93
107.170.27.84
213.189.36.51
213.189.36.51
70.32.78.99
59.103.164.174
Hashes
236e35a9a00b5bfec6076257c03505776eb410b947539761bcaaecbe3cdccbca
e7c4ea3a1b5894cc652d37f28bed27ad51ef007bcb2668dbc334cb518deb79a1
7a05bd71cca8fbd067d39fbe79dd132c88d95495217735b7bf2d030865094bc6
e42ee3255c99ac95cdc6d36c1475d2d532ffce9445d10bd077dc6d4ce4c96d19
8fccc8453b593d73a0ffd86fae1f7362e6f6e2cbd5e136d2ce33d30497e94795
ed87710520785bd8b508617a06972bf51195dc83aa17e8b2c6f32ce8d402a93e
12de531f95155307f582cb2f41fd9d1dc9ea44faf19394a5ab4ebd5968771dfd
38c712730272c8c878b5af2d6fbe1f7323b105fea7f8cc8305888942f90d2ba8
2536eaaf1b16209cdee278a53f049d1e6cd2a82e9e1dfc859695e3e7873853da
596fd9a0cdd5c67958d82b24b01e3776300066f32c914bb46b38585ab516941b
ada2b1fc8778fb9e2ad84e9fdcf3cee89334283725bd0db75f9b3cf338bfbdcd
a90c183bb7425f68c44b41b67d126b494b6cd1c9d950767e40584b76f8b7c270
4a2e5dd67c5e452018b5a4fddc1341ff0be20c51e4cd9b756051184edccadd44
dd7fcb7a309ae81c34f34cc12907cfd9a2e54ab115dbb831afafc9ba7d4a3b65
dab605235afefd940c8ad39b5325d5d85be64a4c898e2f16c585cbb17fc69296
aa34823442316068c0ffe771343ab4b8370fd9cf7d217698e4a22eab4ca6cbe6
e3ea73e25e1dbf603aeaacf958386c0823d75e7c6b90398c69f63ec6f09fe6e3
b3e331978bc30f6a15e954d0923d614fdd9d690e485f8febfc7ea61bbecef404
74cdff36e2e06c241e2fba47e5b0c7d9fe1acde743d295af7f03f7eae2abfa3e
96eb01ac34722b00297fca285664d063a00f2d116b45d4bcedf61e0592462190
Domains
www.dsrecordings.com
dsrecordings.com
majul.com
thuocnam.tk
m-onetrading-jp.com
krupskaya.com
isns.net
elx01.knas.systems
v2.tvip.pl
adonis-medicine.at
hennebicq.net
www.incominghellas.gr
bemobile.md
160.ip-51-255-165.eu
iventims.com
www.menatworksafety.it
www.alaescuela.com.mx
alaescuela.com.mx
gearnova.com
www.snackittome.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a remote access trojan available as MaaS ( Malware-As-A-Service ). Adwind can collect user and system data, control the webcam of the infected machine, capture screenshots, install and run other malicious programs, log keystrokes, steal web browser passwords and more.
Read More
AgentTesla screenshot
AgentTesla
agenttesla trojan rat stealer
Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult is an information stealer malware that is targeted at stealing credentials and accounts. Updated multiple times over the years, AZORult continues to be an active concern for the users, stealing information such as banking passwords, credit card details, browser histories, and even cryptocurrency.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is a banking trojan that was spotted in the wild in 2018. Danabot differs from competing Trojans thanks to its robust delivery system and modular design. Since its first appearance, Danabot has obtained high popularity among cybercriminals and became an active threat in multiple regions of the world.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is one of the most technologically advanced banking trojans currently active. The primary target of this malware is stealing banking credentials from its victims. Dridex has been around since 2014 and has benefited from very consistent updates that helped the malware evolve and become more and more capable.
Read More
FlawedAmmyy screenshot
FlawedAmmyy
flawedammyy trojan rat
FlawedAmmyy is a Remote Access Trojan – a malware that is utilized by attackers to take full control over the target machine. It is based on the source code of a completely legitimate program Ammyy Admin. Despite this RAT being recorded as a new malware in 2018, some researchers suggest that it has been in use since 2016.
Read More