Watch out for a new type of malware

What is it?


The Emotet banking Trojan was first identified by security researchers in 2014 and was originally designed as a banking Tɾojan used to steal financial data. But it’s evolved to become a major threat to users everywhere.

  • History: First observed in 2014, Emotet was primarily a banking Trojan designed to intercept financial information.
  • Polymorphic Evolution: Emotet has become infamous due to its constant change. It uses polymorphic code, meaning it changes its signature frequently to evade antivirus detection.
  • Malware-as-a-Service: Emotet has evolved into a delivery mechanism (often called a loader or dropper) for other dangerous malware, including banking Trojans like Trickbot and Qakbot, as well as ransomware strains like Ryuk.

Current versions of the Emotet Trojan include the ability to install other malware to infected machines. This malware may include other banking Trojans or malspam delivery services.
 

How does it evade detection?


“Emotet is polymorphic, which means it can change itself every time it is downloaded, evading signature-based detection.” Emotet uses several tricks to try and prevent detection and analysis. It also knows if it’s running inside a virtual machine (VM) and will lay dormant if it detects a sandbox environment.
It uses worm-like capabilities to help spread to other connected computers, which helps distribute the malware. This functionality has led the Department of Homeland Security to conclude that Emotet is one of the most costly and destructive malware costing upwards of $1M per incident to clean up.

How does it work?


Emotet also uses C&C servers to receive updates, which works like the operating system updates on your PC and can happen seamlessly and without any outward signs. This allows the attackers to install updated versions of the software, additional malware such as other banking Trojans, or to act as a dumping ground for stolen information such as financial credentials, usernames and passwords, and email addresses.
  • Infection: Phishing emails: Emotet usually arrives via emails that seem legitimate, using social engineering tricks to persuade victims to open infected attachments or click malicious links. These attachments can be Word documents, Excel files, or disguised links. Exploiting vulnerabilities: In some instances, Emotet may exploit vulnerabilities in outdated software to infect your computer directly.
  • Evasion: Polymorphism: Shifts its code to avoid basic antivirus scans. Anti-analysis techniques: Employs tricks to make it harder for security software to analyse its behaviour
  • Lateral Movement: Spreading within networks: Once on a computer, Emotet can spread across a network using various techniques like brute-forcing weak passwords, exploiting vulnerabilities, and stealing credentials.
  • Payload Delivery Installing other malware: Emotet downloads other malware onto the system, ranging from more banking Trojans to crippling ransomware attacks
 

How is it spread?


Emotet is a Trojan that is primarily spread through spam emails (malspam). It ransacks your contacts list and sends itself to your friends, family, co-workers and clients. Since these emails are coming from your hijacked email account, the emails look less like spam and the recipients, feeling safe, are more inclined to click bad URLs and download infected files.
The infection may arrive either via a malicious script, macro-enabled document files, or malicious links. Emotet emails may be designed to look like legitimate email and try to persuade users to click the malicious files by using tempting language about “Your Invoice,” “Payment Details,” or possibly an upcoming shipment from well-known parcel companies.
If a connected network is present, Emotet spreads using a list of common passwords, guessing its way onto other connected systems in a brute-force ­attack. If the password to the all-important human resources server is “password” then likely Emotet will find its way there.
Another method that Emotet uses to spread is through the EternalBlue/DoublePulsar vulnerabilities, which were responsible for the WannaCry and NotPetya attacks on the NHS. These attacks take advantage of vulnerabilities in Windows that can allow the installation of malware without human interaction.
This ability to self-replicate, like a type of malware we call a worm, causes endless headaches for network administrators across the globe as Emotet spreads itself from system to system.
 

Who does Emotet target?


To date, Emotet has hit individuals, companies, and government entities across the United States and Europe, stealing banking logins, financial data, and even Bitcoin wallets. Now that Emotet is being used to download and deliver other banking Trojans, the list of targets is potentially even broader. Early versions of Emotet were used to attack banking customers in Germany. Later versions of Emotet targeted organizations in Canada, the United Kingdom, and the United States.
  malware  

How can I protect myself from Emotet?


You can protect yourself and your users from Emotet with a robust cyber security program that includes multi-layered protection.

 

How to Protect Yourself


Email vigilance:

Inspect the sender's email address closely for inconsistencies. Be sceptical of unexpected attachments, even if they seem to come from familiar sources. Avoid clicking without verifying the source. Hover over links without directly clicking on them to reveal the true destination URL.

Updates and Patches:

Keep all software on your system updated (operating system, browsers, Microsoft Office, etc.) This closes security vulnerabilities that Emotet might try to exploit.

Strong Antivirus and Anti-malware:

Reputable antivirus/anti-malware with real-time protection. Ensure it's updated with the latest virus definitions.

Multi-factor Authentication (MFA):

Implement MFA on all accounts, especially banking and financial ones. This adds a significant layer of protection, even if your basic password is compromised.

Network Segmentation:

In corporate environments, segment networks to limit the potential spread of infection occurs.

User Education:

Train employees and yourself in good cybersecurity habits, including identifying phishing attempts and the importance of avoiding suspicious links or attachments.

Important Notes

  • Emotet has been disrupted in the past by law enforcement, but it has a history of re-emerging, which shows its resilience.
  • No single security measure is foolproof. A layered approach is crucial (antivirus, email vigilance, updates, etc.)

Resources

How can Genesis help?

We can help you establish effective cybersecurity practices for your business. We can review what processes you have in place and advise on any areas of weakness. If you would like to discuss this further, please contact us by telephone 01482 210999 or email info@genesisIT.co.uk