| Name | Emotet |
| Type of Malware | Banking Trojan |
| Location – Country of Origin | Germany |
| Date of initial activity | 2014 |
| Associated Groups | Mealybug, Wizard Spider, TA542 (aka Gold Crestwood or Mummy Spider), |
| Motivation | Steal sensitive and private information, spamming and malware delivery services |
| Attack Vectors | Phishing email attachments, and links |
| Trageted System | Windows |
Overview
Emotet is an advanced, self-propagating and modular Trojan. Emotet was once used to employ as a banking Trojan, and now is used as a distributer for other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, Emotet can also be spread through phishing spam emails containing malicious attachments or links.
Targets
Banking sector. individuals, companies, and government entities across the United States and Europe.
Tools/ Techniques Used
Associated software: Geodo, Trickbot, Qbot, IcedID. Emotet is an advanced Trojan primarily spread via phishing email attachments and links that, once clicked, launch the payload.The malware then attempts to proliferate within a network by brute forcing user credentials and writing to shared drives. Emotet has gone through a few iterations. Early versions arrived as a malicious JavaScript file. Later versions evolved to use macro-enabled documents to retrieve the virus payload from command and control (C&C) servers run by the attackers.
Emotet uses a number of tricks to try and prevent detection and analysis. Notably, Emotet knows if it’s running inside a virtual machine (VM) and will lay dormant if it detects a sandbox environment. Emotet also uses C&C servers to receive updates. This allows the attackers to install updated versions of the software, install additional malware such as other banking Trojans, or to act as a dumping ground for stolen information such as financial credentials, usernames and passwords, and email addresses. Two latest additions to Emotet’s module arsenal comprise an SMB spreader that’s designed to facilitate lateral movement using a list of hard-coded usernames and passwords, and a credit card stealer that targets the Chrome web browser.
Impact / Significant Attacks
A July 2019 Emotet strike on Lake City, Florida cost the town $460,000 in ransomware payouts.
1. Allentown, Pennsylvania (February 2018),
2. Heise Online (May 2019),
3. Kammergericht Berlin (September 2019),
4. Humboldt University of Berlin (October 2019)
