What is Emotet Malware?
September 11, 2023
Emotet is a trojan-dropper, appearing in 2014. By design, this malware was a banking stealer – a pretty prolific one. Since the start it has combined advanced spreading and launching techniques, along with a specific approach towards grabbing credentials. After several large updates (referred to as v2/v3/v4) it received a dropper functionality, which made its modern image such as we know it. Together with heavy anti-detection and anti-analysis techniques, this malware poses a serious cybersecurity threat to any kind of users. Another distinctive feature of Emotet is its periodic activity: instead of steady uptime, malware rather has sporadic bursts of spreading.
Received Emotet samples
The extensive malware delivery network formed by hackers that stand behind Emotet is worth separate attention. Both its scale, uptime and malware that is spread via such a network have beaten any of its contemporaries. IcedID, QakBot, UmbreCrypt, Conti and TrickBot – all these malware names had a long cooperation with Emotet threat actors. Such a success is an obvious reason for the interest from law enforcement. In 2021, two of Emotet high-ranked participants (ones who were responsible for maintaining network infrastructure) were captured in Ukraine. That did not stop malware from running though, but its activity became even more unpredictable than it ever was.
We have already mentioned some important milestones in the history of Emotet malware. It appeared in June 2014 under the name of Heodo/Geodo, and received its first major update (v2) at the end of the same year. These versions were generally aiming at Central European countries with developed economies – in particular Germany, Switzerland and Austria, so-called DACH. Key activity was circulating around banking data stealing. Through the following 1.5 years the activity of a newcomer was not noteworthy, although malware received another update (v3) and the ability to act as malware loader – the thing that became definitive for the future of Emotet.
At the end of 2016, a cybercrime group called Mealybug (a.k.a TA542) formed up and started its malicious activity using Emotet. Their activity in 2017 was titled with a spike in activity – mainstream banking information stealing and the deployment of a wide range of malware. The dropper campaign included TrickBot, IcedID stealer and a couple of ransomware samples. Year of 2018 was significant because of the start of full-scale attacks upon companies and governments. The loudest victim in that year was the computer system of the city of Allentown. The attack cost over $1 million to fix.
Following years brought even more ill fame to Emotet. Throughout 2019 and 2020, they attacked hundreds of companies and even infrastructure of large cities, like Frankfurt, Lake and Quebec. This, apparently, triggered some serious attention from law enforcement agencies, primarily the FBI. Together with their colleagues from Europe, the US law enforcement launched an operation called Ladybird, that ended up with capturing some of the Emotet top management members. Two men responsible for managing network infrastructure of Emotet malware were arrested in the capital of Ukraine – Kyiv. That case eventually led to a temporal shutdown of all operations.
Nonetheless, fear related to these arrests did not last long. Less than 6 months after these events, malware relaunched its activity, with pretty much the same scale. However, the active periods became way shorter than they used to be. Instead of up to a year-long uptime, they show up for a month, or even a couple of weeks – and go offline. Homogeneity of this gang and absence of any realistic media activity does not allow us to make any conclusions about the reasons for such a change, excluding extremal carefulness, of course.
Throughout the long time, since around 2018, Emotet relied heavily on spreading through MS Office macros. This method has proven itself exceptionally reliable and simple to implement. Just deliver the infected Office file – via email spam or through any other method – and wait. The number of users who were aware about malignant use of macros remains low even these days, leave alone early days of Emotet. And the amount of exploitation opportunities were tremendous and allowed for pretty much any action needed in malware injection process. This was about to change, sooner or later.
In February 2023 Microsoft announced implementation of Mark-of-the-Web, a specific mechanism in MS Office that marks the documents downloaded from the Internet. One marked in such a way gets its active content blocked upon launching, both macros or links. It can still be disabled – but with much more effort compared to a simple click on the button “Allow macros”. And while other malware managed to find a replacement for macros, Emotet did not.
After the MotW implementation, Emotet activity started decreasing with tremendous speed. Actually, the attempts of its masters may have been significant, but the result was not. In less than 2 months afterwards, Emotet basically lost any botnet expansion potential. As of September 2023, hackers do not even try to change anything – our analysts detect less than 10 samples a day at peaks, and 2-3 samples per day on average. This is just pathetic compared to Emotet’s prime-time with thousands of victims each day.
Is this the end of Emotet? We don’t think so. It is not unusual for Emotet to stay low for a long time, though over half a year of lull is still extraordinary. Possibly, the team has lost their leaders during the early 2021 events, and the rest just cannot keep up and find new approaches. Possibly, they are getting ready for something bigger – which is possible, especially due to the introduction of Python applets support in Microsoft Office. The time will show, but 2023 is definitely quite a depressing year for this malware.
Botnets led by Emotet are large enough to be noteworthy, especially considering their unusual structure. Since both malware and its network infrastructure are updating constantly, the difference between networks of infected computers over time increased dramatically. Such changes brought a lot of problems to analysts that tried to predict and prevent the threat, but simultaneously gave them a great classification tool. These days, analysts define 5 different botnet infrastructures, named epochs. They may be distinguished by the public encryption keys that are held within C2 configuration, present in each malware sample. The developer did not share their malware samples with clients, as a lot of other malware developers do. Instead, they hire and study the hackers, which then act correspondingly to strictly-marked rules. That’s why it is quite easy to divide all the botnets into compact groups.
Epoch 1, 2, and 3 were actively used since 2017 – when TA542 formed as a separate cybercrime group. They bore upon earlier versions of Emotet, which carried a public RSA key hard-coded into each sample. During the C2 communication, malware applied that key to cipher an AES key, which, in turn, served to cipher the data going in and out. All three epochs were active until January 2021, when a major part of network infrastructure was seized along with members’ arrests.
Epochs 4 and 5, however, were developing independently of the first three, which gave the gang a second chance after the events at the beginning of 2021. These botnets used newer versions of Emotet, which featured two ECC public keys, that were used to encrypt data and to validate data packages correspondingly. These days, these two botnets form a backbone of Emotet malware; according to the research, over 60% of the Emotet network belongs to Epoch 4, while the rest (under 40%) is Epoch 5.
Emotet Distribution Ways
Main ways of Emotet malware spreading both in past and present is email spam. By most parameters, it repeats some common spam you may have witnessed in any other malware spreading campaign. A message mimics some urgent or important notice that should be reviewed by the receiver. Common topics are “Overdue invoice” or “Delivery notification” with the attached MS Excel file. Malware installation script is hidden inside of a macro application. Once this file is opened, the document shows you an offer to enable macros as “part of the content is missing”. Executing the script embedded in the macro makes your PC connected to a compromised website (generally a WordPress-based page) that emits a payload.
Changes Due To Policy Updates
At the beginning of 2023, Microsoft decided to cut down the ever-loved tactic with malicious macros. After over 2 decades of flawless operations as a malware delivery way, it became almost completely blocked by disabling executable content for MS Office files that arrived from the Internet. Such files are marked specifically, and after the launch, Microsoft Office will flatten such a file, similarly to how CDR systems do.
However, Microsoft would not be itself if it had not left a huge breach in this mechanism. Any MS Office file may be run “as usual” if it is launched from the MS Office directory. The system recognizes any file from that place as trustworthy, and thus no executable content will be excised. Cybercriminals who spread Emotet add specific instructions to move the file in the message or right inside the text of this file.
Emotet stealer capabilities turn out to be useful not only for collecting important credentials. This malware is capable of accessing MS Outlook address book, and using it to commence mass-mailing. This, however, is possible only with the use of specific add-ons for Emotet. As you can guess, messages sent in such a manner contain the same thing as Emotet used to arrive at the initial system. But now, it also gains a disguise - the personality of the attacked PC user. That approach allowed Emotet to have an almost exponential gain of victims in certain campaigns.
Some analysts also say that Emotet is capable of self-spreading using Windows networking vulnerabilities, such as EternalBlue. This, however, is not particularly true — Emotet participated in deploying TrickBot malware to the system, which then used the mentioned breach to propagate itself to other systems in the network.
The most recent versions of this malware, released at the edge of 2022, feature their own way of spreading within the network. It impersonates the user account from the machine it is running on, and tries to connect to other machines in the local network using SMB. Same as in the case of mass-mailing, this trick requires the operator to install the corresponding malware plugin. To log into these machines, it uses a hardcoded list of usernames and passwords to perform a simple brute force. WnetOpenEnumW and WnetEnumResourceW – basic WinAPI calls – help malware with enumerating the machines and other network elements present and available.
As we mentioned above, the main way of Emotet delivery to the target system is malicious macro in the Office document. However, samples have major differences in the method of loading after the mentioned macro was launched. These alterations appear not only between samples of different activity periods, but also during a single attack. That is probably the result of the affiliate's job – each team of ones create their own loading scripts, which makes them unique in each case.
Emotet arrives as a 64-bit .dll file, with a randomly generated name given by the server that is used to emit the payload. Macro script saves it to the Temp folder. Same macro then applies regsvr32.exe to run the payload. In order to evade early detection and confuse signature-based anti-malware engines, Emotet practises the tricks typical for different other advanced malware. Most of them are related to code packing, obfuscation and code encryption.
The aforementioned DLL gets to the target system in the encrypted form, and is unpacked using the shellcode embedded in the loader. The latter is the specific add-on that goes stuck to that library. VirtualAlloc function serves to allocate RAM area to inject decrypted malware code and make it run during several stages. First, the loader allocates the memory and protects it with PAGE_EXECUTE_READWRITE property. Further, it deciphers the part of the DLL into this memory, using a decryption key added at the stage of sample packing. After that, the execution is passed to this memory area.
Second stage supposes the use of another piece of code. An ASM blob, designed to decrypt, load, and run the specific part of the Emotet’s DLL, is a final stage before seeing the actual execution of this malware. Similar to previous stages, it allocates memory and sets a PAGE_EXECUTE_READWRITE protection, and dumps the decrypted contents of the DLL. But to run it, this code calls VirtualAlloc once again, in order to remap the sections to a different memory location. Only then, the code is getting executed.
Newly-launched sample of Emotet will establish persistence in the system. For this purpose, it creates a registry key that guides Windows to launch the loader at system start. The key is attached to the current user account, and is located in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hive. This key leads to a randomly-named copy of the loader we described in previous paragraphs, placed in the Temp folder. After being launched via this key, it does the described above loading procedure once again.
The peculiarity of all this procedure is that it constantly changes, even within a single Emotet version. Samples of this malware caught in the wild around spring 2022 and in November of the same year have a different way of handling the code strings. Instead of keeping them decrypted within a certain section of its PE, latest versions keep them encrypted, and decipher on demand. That is somewhat similar to the manner SmokeLoader backdoor handles this – and it makes it difficult both to detect and analyse. Still, some tricks allow us to extract most of this data. And only developers know how that will happen in future Emotet releases.
An obvious step that comes shortly after gaining persistence in the attacked environment is contacting the command and control server. Emotet performs it as usual and non-typical simultaneously. Commonly-used HTTP POST/GET requests feature an elliptic-curve cryptography (ECC) encryption, which has proven itself as an exceptionally tough nut. A pretty salient feature, however, is the use of 8080 port in a vast majority of its connections. Other ones in use are 80, 443 and 7080. List of IP addresses of command servers, as it happens commonly, is embedded into the malware code at a stage of compilation. However, as numerous researches show, the addresses that appear amidst malware strings are not related to exact C&C servers. In order to mask the traffic, Emotet operators use compromised servers as proxy simply to disable the ability to reveal the botnet infrastructure IPs that easily. Both Epoch 4 and Epoch 5 botnets feature several pools of C2 addresses that show up in different malware samples.
As we mentioned above, public ECC keys are hard-coded into the Emotet samples. They are needed to generate a private encryption key, that will secure the data, and to validate the data package. Such a double-check is not a paranoid reassurance, but a demanded security measure – that helps C&C to weed out fake traffic. Initial request, same as in other malware, contains some basic information about the infected machine, required for fingerprinting purposes. Overall, commands that Emotet can receive may be divided into 4 categories, and are marked with 1-9 digits.
|Load a module||Loads one of six modules available for installation. Each one has a corresponding variable in the command, although its header remains the same. Hides under the number of 2.|
|Sleep||Forces malware to stop any actions and go idle. Same command to the already “sleeping” bot will wake it back up. Took the number of 5.|
|Update/remove||Updates the Emotet binary on the machine. A specific variable will command the malware to perform self-destroying. Has a number of 1.|
|Download DLL/EXE||Orders to download malware from a specified source (sometimes a different C2). Uses code 3 for a regular download & run, and 4 for downloading and running the additional payload via regsvr32.exe, i.e. using Emotet methods.|
Modern samples of Emotet do not come packed with all possible functionality. In fact, by default it lacks even its stealing module, offering only remote access, i.e. behaving more like a backdoor. Aside from delivering additional payloads to a system and data stealing, Emotet also supports receiving an “upgrade” – additional modules that extend its functionality. There could be up to 6 different modules, which appeared steadily and are evolving constantly.
First and foremost, Emotet is a banking stealer, and only then a dropper malware. It did not lose its capabilities for digging out banking credentials even after seeing more often usage as a tool for botnet establishment. After launching and establishing persistence, malware starts listening to web browser activity. However, instead of a more classic approach with keystroke logging or cheating with web frames or redirects, Emotet applies monitoring traffic in order to detect a connection to the banking website. It receives a list of ones to spy on together with the module itself. If any activity related to one of these domains is detected, Emotet tries to eavesdrop the connection and extract passwords. With time, malware was taught a different way to steal credentials – by hacking the password storing mechanism used in most popular web browsers.
Despite aiming at banking credentials more than other things, Emotet can also collect detailed information about the system it is running in. Hardware module is what helps it with that task, but with a pretty unusual add-on. Aside from the functionality that helps malware to grab the info about the system, it adds another anti-spoofing layer, that checks genuinity of the bot messages. The packet that contains the hardware module contains a specific ID value, that is attributed specifically to that bot. Packet with the results of this module activity – gathered information – contains a specific value at the end, that is generated using the ID value contained within the module package. If the C2 server does not have a matching range of values for the one, it blocks packages from this bot, marking it as a fake one. The types of PC information gathered by Emotet are the following:
- Session ID
- Windows version
- Windows build
- Total system RAM
- Used RAM
- Name of Emotet's process
An infamous coin miner trojan, that aims at exploiting hardware of the target PC to mine Monero cryptocurrency. Earlier, it was delivered by Emotet-based botnets as a separate malware. But during the last campaign that took place in November 2022, XMRig arrived at the systems infected with Emotet as its module. Such a transposition had happened in the past with other malware – particularly one Emotet developers considered as their “partner”. And such a coexistence sounds logical considering the number of infected machines under the rule of Emotet and the fact that coin miners are most effective in the long-term perspective.
Advanced email stealer
Emotet can steal email credentials it meets “by the way” while it breaks into the browser. Stand-alone mailing services, like Outlook and Thunderbird, remain untouched – and advanced email stealer module fixes that issue. Aside from the ability to use the accounts for self-spreading via spam, operators receive the information that eases spear phishing by orders of magnitude. In addition, this module allows you to get the contact book of the hijacked accounts. This, together with thread hijacking, makes this module pretty effective when it comes to bumping the attack efficiency.
Email spamming for self-propagation
Above, we mentioned that Emotet is capable of sending itself through the email message, repeating the manner it infected the initial machine. But as you may guess, it is not vastly effective when you don’t have access to email accounts or contact books. For that reason this module mainly appears as a complementary to the email stealer. Module uses a default pattern of message, set by the operator, and MS Office file that carries a malicious macro.
SMB lateral movement module
Server Message Block protocol, or SMB, is a brilliant solution not only for connecting computers and peripheral devices to a single local network, but also for malware spreading. Impersonating the user of an infected computer, Emotet is capable of connecting to other computers in the local network, and deploy itself there. As we mentioned above, it uses a list of typical passwords to perform brute force attacks, and enumerates computers present in the network with WnetOpenEnumW and WnetEnumResourceW commands. This module appeared pretty recent – around the beginning of 2022.
Traffic proxying a.k.a UPnP module
We already mentioned that TA542 uses numerous compromised servers around the world as proxy servers that redirect the traffic to a genuine Emotet C2. UPnP module is what helps malware operators to find new servers, or organise a temporary proxy layer for their connection. This module allows an infected computer to receive the traffic from other attacked systems, and redirect it to the actual C2 server.
Malware delivery by Emotet
Emotet is known for delivering a huge number of malware names. Among them are ransomware, spyware, other droppers, and even coin miners. Attacking both companies, single users and even government organisations, it never picks specific victims for specific malware. There is an order – and Emotet simply executes it. Let’s see the most known malware samples spread by Emotet trojan.
|IcedID||A.k.a. BokBot. Banking trojan, similar to what Emotet was before turning into a dropper. Acts as a primary payload for Emotet, as being delivered to infected systems almost immediately after the initial C2 contact.|
|Conti||Ransomware, a product of an eponymous Russian cybercriminal group. Was generally delivered to corporations. Group dissolved in April, 2022, after a leak of ransomware source code.|
|BlackCat||Ransomware gang, which started their partnership with Emotet in summer 2022. Prolific gang that attacks mainly corporations and government organisations. Publishes victims' data in surface Web.|
|Ryuk||Ransomware, was generally delivered as a final payload in the chain Emotet → TrickBot → Ruyk. Most often, it aims at corporations.|
|STOP/Djvu||Ransomware that attacks single users and rarely companies. Used to be one of the most prolific ransomware gangs. Has a long-term partnership with Emotet, despite only dim information about that.|
|TrickBot||Dropper malware/backdoor, yet another long-term partner of Emotet. Used to deliver various other malware – including Emotet itself after its resurgence after January 2021 events.|
|CobaltStrike||Not a regular malware, but a complex tool for malware orchestration. Acts generally as a backdoor, with its Beacon module, that allows it to access the environment and deploy any kind of additional payloads.|
|XMRig||Coin miner malware, one of the most widespread in its kind. Conjunction of effectiveness and flexibility makes it pretty prolific on its market. Began spreading as an Emotet module in 2022.|
How to protect yourself from Emotet?
Throughout the long history of its evolution, Emotet developed numerous ways to avoid detection in the system it is running in. That’s why the best way to protect yourself from this malware is to prevent its appearance in your system. However, conducting these measures in corporations is less efficient, as there are dozens (or even hundreds) chain links that may break apart. Thus, it is better to apply both preventive and reactive measures.
Be familiar with the typical methods of Emotet spreading. Actually, there is only one – email spam with a malicious attachment. Knowing how to distinguish between genuine email and the fake one will save you from different other problems. Spam that contains a MS Office document with a malicious macro became a beloved spreading tool for all categories of cybercriminals. Always remember which emails you should receive, and stay aware even if your colleague texts you about something routine. Keep an eye out for strange email addresses – the one that contradicts with the email topic or a possible sender.
The most effective advice here is to avoid enabling macros execution under any circumstances. Whatever the document or email says, enabling macros is a bad idea. Their usage nowadays is pretty rare, as there are numerous other ways to provide interactivity and document updates with the same or even higher efficiency as macros do. Microsoft forbids execution of macros in the documents that arrived from the Web, but that still does not mean they are 100% safe.
Use advanced security solutions. This advice is both reactive and proactive, as such a program will help you with both detecting a malicious Office document, as well as stopping the already going infection. However, regular anti-malware software is barely able to deal with threats like Emotet. It should feature a behavioural detection system, or even AI-based scanning, to spot malware samples even when it is hidden behind numerous layers of obfuscation and packing.
Set up a network protection system. Emotet applies enhanced networking features that allow it to slip through the passive barriers like firewalls. The Network Detection and Response system (NDR), on the other hand, is able to detect suspicious traffic using the same advanced detection techniques as we described above. Even when it is not certain about detecting malicious traffic, NDR will notify the security team about suspicious behaviour. It touches both external and internal connections – don’t forget about SMB spreading methods.
Check your sent messages. That touches both individuals and employees of large corporations. Detecting messages you’ve never sent is already not a good sign. Seeing a typical malspam message sent from your name is a very bad omen. If such activity is detected, you should scan your device and contact the system administrator (if you have the one).
MD5: cb9e1acaf2bc27d3d63ab65fda4c5186 MD5: d2d13fb9464c11719f9232c9fedb702e MD5: 827dc167869b7e832d0bb302741cfdd1 MD5: f7f9d268e8553cd2631ce5cc36fdb8e3 MD5: 17d0249831849e69bd89f0777b8f7198 MD5: ad4dc5f1468aed6dc24457166b561171 MD5: d56787b2b92525ddb9da2604af77fb7d MD5: 71499d67b748d742241df13e96c9bb04 MD5: bbf633e6434386e4bdb7503266fadb2f MD5: 6b234087d3cb95e28d3e0caea780bf6b
SHA256: bb444759e8d9a1a91a3b94e55da2aa489bb181348805185f9b26f4287a55df36 SHA256: f6485aef4be4cb0ec50317b7f87694fb775f81733af64c9bc6050f6806504207 SHA256: 0000dad03392dd3c6e997bad4eed45afddcda5eb2b29402304cb6a463d8b6dbc SHA256: 00012006226f4b68b40767430075321015626b2fcba8ad1dddf1dc6d0de68f4d SHA256: 00021d6cba6faa8a7689ac0290549a3b0c999766fa5061cf3ee9b6cc943dc3d0 SHA256: 0002a0fb0ee6d81edd91287ea1e89ab30a3421dd9840b99ea46e69b9be191d64 SHA256: 0002afff4625bee9fb13b0d0c845e0c1b4381c16a65b72024b7759b18256f911 SHA256: 00037f2d52219a6672d6a583e887a809250c96f8f0eacf7d8503848c874dac6b SHA256: 0002bfc448d1d6417b1cc74306fdf3979675f3b88778aee17463dee9fe3bf9d1 SHA256: 000495b2f119bfebf709c63e76d71923c45863242757698a7cb9bf1983036e99
MITRE ATT&CK signatures
|T1552.001||Credentials In Files||T1110.001||Password Guessing|
|T1573.002||Asymmetric Cryptography||T1047||Windows Management Instrumentation|
|T1552.001||Credentials In Files||T1041||Exfiltration Over C2 Channel|
|T1043||Commonly Used Port||T1040||Network Sniffing|
|T1021.002||SMB/Windows Admin Shares||T1555.003||Credentials from Web Browsers|
|T1547.001||Registry Run Keys / Startup Folder||T1065||Uncommonly Used Port|
|T1114.001||Local Email Collection||T1560||Archive Collected Data|
|T1210||Exploitation of Remote Services||T1003.001||LSASS Memory|
|T1566.002||Spearphishing Link||T1566.001||Spearphishing Attachment|
|T1059.005||Visual Basic||T1204.001||Malicious Link|
|T1078.003||Local Accounts||T1204.002||Malicious File|
|T1057||Process Discovery||T1027||Obfuscated Files or Information|
|T1059.003||Windows Command Shell||T1571||Non-Standard Port|
|T1094||Custom Command and Control Protocol||T1027.002||Software Packing|
|T1055.001||Dynamic-link Library Injection||T1053.005||Scheduled Task|