What is Emotet Malware?

Emotet is a malware botnet that originally functioned as a banking trojan when it emerged in 2014. It was spread via spam campaigns, imitating financial statements, transfers, and payment invoices. Emotet is propagated mostly via Office email attachments containing a macro. If enabled, it downloads a malicious PE file (Emotet) which is then executed. Once executed, it can intercept and log network traffic, inject into browsers, and access banking sites in order to exfiltrate and store financial data.

Emotet evades security measures and moves laterally by leveraging a server message block (SMB) exploit or brute force of admin credentials, making it one of the most dangerous and dominant malware families in the wild.

How has Emotet evolved over the years?

In 2017, Emotet operators redesigned the trojan to work mainly as a Dropper, a type of malware that is designed to deliver other malware to a victim’s computer. Other plays in the cybercrime world, such as TrickBot banking malware and Ryuk ransomware, utilize Emotet Dropper capabilities to infect countless other users.

In early 2021, an international taskforce coordinated by Europol and Eurojust seized Emotet infrastructure, comprised of several hundred servers located around the world, and arrested some of its operators.

Additionally, in April 2021, law enforcement used the Emotet infrastructure to automatically uninstall the malware from infected systems. These actions stopped Emotet operations for a period, but in November 2021 new variants of Emotet were again spotted in the wild.

There is a clear relationship between Emotet and TrickBot operators, as evidenced by infected TrickBot machines being used to download the new Emotet binary. There have been changes in new Emotet variants, from using a different communication protocol with a constantly changing decryption routine, to the abuse of an old Excel capability (Excel 4.0), to execute the malicious macro.

How does Deep Instinct help stop Emotet malware?

While Emotet malware has evolved and re-emerged over the past few years, Deep Instinct’s prevention-first approach to stopping malware has a proven track record of predicting and preventing these types of attacks. Using the world’s first Deep Learning Cybersecurity Framework, we are able to predict and prevent known, unknown, and zero-day threats in <20 milisecionds, 750x faster than the fastest ransomware can encrypt.

Further Reading