Emotet is a highly sophisticated piece of malware that spreads via phishing attacks. Emotet was maintained and promoted by a cyber group known as “Mealybug”.

Emotet evolved over time, starting as a banking trojan (2014) and later turning into a Malware as a Service (MaaS). It gained worm-like capabilities and became increasingly stealthier with each iteration.

The infrastructure used by Emotet was taken down by an internationally coordinated effort on January 2021.

The initial attack vector can be a malicious link or an infected file sent via phishing emails. When a user activates the script, Emotet contacts its C2 servers to download the full payload. Once downloaded, Emotet attaches itself to running processes as a .dll file. Emotet then begins sniffing network traffic to capture sensitive information sent between victims and their banks. Emotet is capable of capturing even encrypted HTTPS communication because of its ability to hook to various network APIs. The Network APIs used by Emotet to accomplish this (according to research by Trend Micro) are:

  • Closesocket
  • Connect
  • Send
  • WsaSend
  • PR_OpenTcpSocket
  • PR_Write
  • PR_Close
  • PR_GetNameForIndentity

If Emotet identifies communication with a bank listed on its config file, Emotet will capture all of the site data, including credentials and access tokens. Captured information is then encrypted, stored as registry entries, and sent back to C2 servers.

Emotet hides in arbitrary paths located within the AppData\Local and AppData\Roaming directories.

Later versions of Emotet are capable of updating themselves, changing their own configurations, and even downloading additional malware.

Emotet possesses several advanced techniques to avoid detection:

  1. Emotet can hide itself and its stolen data as registry entries to avoid file-based AV detection.
  2. Emotet comes equipped with a vast amount of benign code that can trick AI-based security solutions into classifying it as safe (Deep Instinct).
  3. Emotet is polymorphic in nature and largely evades signature-based detection by constantly changing its code.
  4. Emotet scans its environment to determine if it is inside a virtual machine and generates false indicators to evade analysis.

Emotet is also able to maintain persistence through several methods:

  1. By injecting itself into running services. This tricks the AV into listing Emotet as trusted software.
  2. By moving laterally across an internal network and infecting other machines. When spreading inside a network, Emotet attempts to copy itself to available network-attached storage units to propagate in a wormlike manner. This is accomplished by either brute-forcing known password lists or exploiting vulnerabilities.
  3. By using custom spam modules. These spam modules spread into a victim’s contacts list and attempt to send copies of the malware to new victims. In later versions of Emotet, the malware focused on targeting only the latest emails in an account and replying to them to increase the chance of a successful attack.

Moreover, Emotet uses several spreader modules to accomplish its goals (CYSA Alert TA18-201A):

  • NetPass.exe – A legitimate software application used for recovering network passwords of the currently logged-on user.
  • Outlook Scraper – A module that scrapes names and email addresses from Microsoft Outlook.
  • WebBrowserPassView – A module used to capture passwords stored in browsers like Google Chrome, Mozilla Firefox, Internet Explorer, etc.
  • Mail PassView – A module used for revealing account information and passwords from various email clients like Microsoft Outlook, Windows Mail, Mozilla Thunderbird, etc.
  • Credential enumerator – Used for enumerating network resources, finding writable share drives (SMB), brute-forcing user accounts, and writing Emotet to the disk.

Emotet evolved from a banking trojan (2014), to a loader (2016), and to a Malware as a Service (MaaS) in 2017. As a MaaS, Emotet delivered well-known payloads such as: Qakbot, IcedID, TrickBot, Ryuk, & others. It was initially believed that Emotet had the ability to exploit the infamous EternalBlue and DoublePulsar vulnerabilities; however, it was later discovered that Emotet actually downloaded the malware (like Trickbot) that executed the exploits