Emotet Malware Over the Years: The History of an Active Cyber-Threat [Updated]
What Is Emotet Malware and How Can You Stop It? Protecting Your Business from the Most Resilient Trojan Out There
Malware strains come and go while Internet users become more and more accustomed to online threats being dealt with swiftly by the competent authorities. But what happens when a Trojan constantly eludes everyone’s best efforts to stop it in its tracks?
In this article, I will go over the complex history of one of the longest-running cybercrime operations in recent history, Emotet. Keep reading to find out what it is, how it operates, and what it uses to take control of an entire network. And if you want to find out what you can do to protect your organization against this still active threat, stay tuned until the end.
What Is Emotet Malware?
Emotet belongs to the malware strain known as banking Trojans. It primarily spreads through malspam, which are spam emails that contain malware (hence the term). These messages often contain familiar branding, mimicking the email format of well-known and trusted companies such as PayPal or DHL to convince users.
Through this medium, the infection may be delivered in several ways:
- malicious scripts,
- phishing links,
- or macro-enabled document files.
The cunning virus with worm-like capabilities was first identified by Joie Salvio, an experienced threat analyst.
The actor behind Emotet is a hacker group known as Mealybug. Since starting in 2014 with the first and simplest version of the Trojan, they have turned their operation into a successful crimeware rink that provides Malware-as-a-Service (MaaS).
The group achieved this by creating a botnet of infected computers on Emotet malware infrastructure, which they then sold access to. The botnet runs from three clusters of servers known as Epoch 1, Epoch 2, and Epoch 3. They rented this framework to various ransomware ventures, including the infamous Ryuk gang.
While Mealybug profit from their malicious leasing scheme, huge financial strain is put on their victims when they try to mitigate attacks. According to a cybersecurity alert put out by the Department of Homeland Security in July 2018,
Emotet continues to be among the most costly and destructive malware affecting SLTT governments. Its worm-like features result in rapidly spreading network-wide infection, which are difficult to combat. Emotet infections have cost SLTT governments up to $1 million per incident to remediate.
How Does Emotet Malware Operate?
When Joie Salvio first documented Emotet malware in 2014, the malware was at its first and most standard version. Spreading through malspam, the nasty emails that contained it usually posed as shipping invoices or bank transfer details, persuading users to click on various links. At first, its targets consisted mainly of small German and Austrian banks, as well as their respective customers.
Once the user takes the bait and the virus enters the network, it proceeds to download its components. These include a configuration file containing details about the victims, as well as a .DLL (Dynamic Link Library) that is injected into all system processes. The latter is responsible for the intercepting and logging of outgoing traffic, a practice known in the cybersecurity world as “network sniffing”.
When the .dll file is inoculated into a browser, it compares the user’s input with its configuration. If the website is a match, it proceeds to save it and steal your data. This can happen even if you are accessing a secure HTTPS connection.
The website components Emotet downloads are stored in separate encrypted registry entries, which is something regular users seldom check. Malicious activity can thus fall through the cracks, as well as evade file-based antivirus detection.
As far as the original report on the virus is concerned, what is most notable is the worm’s sophistication. However, as time went on, Emotet malware became even more refined in its infection techniques. A technical alert issued by the Multi-State Information Sharing & Analysis Center (MS-ISAC) in collaboration with the National Cybersecurity and Communications Integration Center (NCCIC) in 2018 established that its MO is mainly as a dropper of other banking Trojans.
What is more, it seems that Emotet adapted and evolved over the years, constantly escaping detection and managing to thrive. In the same document, the virus is described as being a:
polymorphic banking Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. It uses modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities. Furthermore, Emotet is Virtual Machine-aware and can generate false indicators if run in a virtual environment.
How Does Emotet Malware Spread?
Emotet malware infiltrates computers through a network spreader component which consists of several spreader modules. Five known spreader modules power the malware as per the findings of the aforementioned and quoted technical alert:
- NetPass.exe, a legitimate password recovery tool developed by NirSoft. It can retrieve all passwords stored in a system for a logged-in user, as well as those kept on external drives.
- WebBrowserPassView, another password recovery tool that operates in most known web browsers. The list includes Google Chrome, Internet Explorer, Mozilla Firefox, Opera, and Safari.
- MailPassView, a third password recovery tool that gathers information from popular email providers such as Gmail, Microsoft Outlook, Hotmail, Yahoo! Mail, Windows Mail, and Mozilla Thunderbird.
- Outlook scraper, a malicious utility that scrapes credentials from the users’ Outlook accounts and uses this info to send out further phishing emails.
- A credential enumerator, which is a self-extracting archived .RAR file composed of a service component and a bypass component. By harnessing information collected by the four modules mentioned above, it either tries to brute force access accounts or locate writable share drives with the help of Server Message Block (SMB). When it eventually finds an available system, it writes the Emotet service component onto the network, which infects the entire disk.
A Brief History of Emotet Malware
As one of the longest-lived malware strains discovered in the last decade, Emotet malware has had quite an…interesting history. Its evolution is worth reading about, as it will help you become more familiar with how Mealybug and its subsequent collaborators operate. For your reading convenience, I have comprised a brief year by year rundown in the lines below.
Joie Salvio published her initial analysis of Emotet malware on June 27th, 2014. This date marks the first documented account of the malware’s existence, as well as an overview of its modus operandi. Then, we were dealing with version 1. A new version quickly emerged in the autumn of the same year, and it brought a few improvements along with it.
For one, it was at this point that the actors behind the infections started using an Automatic Transfer System (ATS) to instantly steal money from their victim’s accounts. In addition to this, their dedication to staying unnoticed became apparent. They focused most of their efforts on a small number of German and Austrian bank clients, which was oddly discerning for malware actors.
However, Emotet version 2 ceased its activity on December 10th, 2014. This was the date when the last command from the servers was registered. Nonetheless, the virus would continue its rampage the following year.
After taking some time off for the holidays, the hacker group operating Emotet malware returned in January 2015 with Emotet version 3. Although not entirely different from its predecessor, this updated variant came with a few additional features that made it even harder to detect. These included a new integrated public RSA key, as well as a partial cleanup of the ATS script.
It was around this time that the malicious group decided to diversify its attack portfolio, as the virus started targeting Swiss banks along with its usual German and Austrian casualties in 2015. The year also marked its development into a more modular threat, adding distributed denial of service (DDoS) attacks and email login thefts to its roster.
Documentation regarding Emotet’s whereabouts in 2016 is relatively lackluster. However, two notable aspects are known about this period. First and foremost, it was the year when its developers reconfigured the Trojan to be a loader. A loader is a type of malware that intrudes a network and subsequently allows operators to deploy second-stage payloads. These can consist of its own modules or threats developed by other cybercriminals.
The second thing we know of Emotet in 2016 is that it re-shifted its focus back on Germany and Germany alone. This rings true to the group’s then-approach of keeping low and aiming for small, yet profitable targets.
2017 was the year when Mealybug’s Malware-as-a-Service technique took off. The group was the first to deliver the IcedID banking Trojan through its infrastructure at this time. In the same year, Emotet was also observed distributing the Trickbot Trojan and the UmbreCrypt strain of ransomware.
Hackers using the virus also expanded their area of effect to include countries such as China, Canada, the United Kingdom, and Mexico in 2017. This was an interesting change of direction from the previous focus on the German-speaking sphere. Nonetheless, this can be easily explained by the fact that Emotet’s distribution as MaaS took off in this time frame.
In 2018, Emotet arrived in the United States of America with an attack on Allentown, a notable economic hub of the country’s Northeastern region. Nevertheless, its activity during this year has been somewhat inconsistent. Other than this attack, which I will get into in a minute, and a few malspam campaigns, the year was marked by radio silence.
The main takeaway from 2018 is that the malware actors behind the threat strengthened their nefarious collaboration with Trickbot. An infamous information-stealing Trojan, Trickbot’s claim to fame was that it exploited the same system vulnerabilities as WannaCry ransomware. What is more, this was when its botnet started carrying Qakbot as well, a family of banking Trojans with network worm abilities.
Arguably the malware’s most prolific year, notable events in 2019 included high-profile attacks on several German institutions, as well as the entire city of Frankfurt. These were part of a larger scale botnet spam email campaign targeting victims from Germany, as well as Poland, England, and Italy.
This operation was highly successful among prominent institutions and organizations due to its cunningly worded email subject lines. Examples include “Overdue Invoice” and “Payment Remittance Advice”, which worked like a charm and tricked employees to open infected Microsoft Word documents. This initiated a macro that then downloaded Emotet onto the target network from compromised WordPress sites.
After a plentiful 2019, Emotet went dark again in February 2020. However, our collective sighs of relief didn’t last too long, as the malware returned for a tour de force five months later in July. Its most recent effort consists of a good ol’ English language malspam campaign sent out to the UK and the US. As many as 250,000 phishing messages had been delivered as of July.
After a prolific midsummer, Emotet took another short break, only to return on October 14th and start wreaking havoc yet again. Under the guise of Coronavirus information, hot news about Donald Trump’s health, or shipping invoices, the malware is spreading once more.
In addition to taking advantage of recent events, Emotet also has a brand new document template under its belt. This time around, the cyber-threat comes with a supposed Windows Update attachment urging you to install the latest version of Microsoft Word. Comply, and you’ll get infected. And this is only the most recent addition to Emotet’s long list of social engineering practices. Only time will tell how the rest of 2020 will unfold under this revamped threat.
As of January 27, 2021, the infrastructure of the Emotet botnet has been taken down, effectively disrupting the spread of Emotet malware. This was achieved as part of an international coordinated operation led by Europol and Eurojust. Law enforcement agencies from all across Europe, including Germany, Ukraine, France, Lithuania, the Netherlands, and the United Kingdom collaborated with authorities from the United States to take control of the cybercrime rink’s zombie computer servers.
After gaining control of Emotet server earlier in the same week, law enforcement managed to take down the entire botnet. According to Europol,
the infrastructure that was used by EMOTET involved several hundreds of servers located across the world, all of these having different functionalities in order to manage the computers of the infected victims, to spread to new ones, to serve other criminal groups, and to ultimately make the network more resilient against takedown attempts. The infected machines of victims have been redirected towards this law enforcement-controlled infrastructure. This is a unique and new approach to effectively disrupt the activities of the facilitators of cybercrime.
Notable Emotet Malware Infections
In under one decade of evolution, Emotet gathered quite a few high-profile victims under its belt. Targets range from local governments and state institutions to private organizations. Educational facilities are not safe from the threat either.
As previously mentioned, a particular focus on Germany can be noticed in the virus’ spreading pattern. You can read all about the most notable malware infections of this sort in recent years in the sections below.
1. Allentown, Pennsylvania (February 2018)
On February 13th in 2018, Allentown, a relatively large city located in the American state of Pennsylvania, fell victim to an Emotet Trojan attack. As per its then-Mayor’s statement, the virus infiltrated government computers and immediately started self-replicating. It then proceeded to steal all the log-in credentials it could get its grubby paws on, including employee passwords.
Mike Moore, the city’s Communications Director, stated that local administration paid Microsoft an emergency response fee of $185,000 to contain the damage promptly. Mayor Ed Pawlowski subsequently admitted to an additional $800,000 to $900,000 being spent on mitigation efforts. Thus, the city of Allentown paid upwards of $1 million to remediate the Emotet infection.
2. Heise Online (May 2019)
The spring of 2019 brought in bad news for Heise Online, a renowned German publishing house based in Hanover. As per a statement published on its website on June 6th, the triggering event took place on May 13th shortly before 3 p.m. An employee of the company opened an email that mentioned a real transaction between Heise and one of its business partners.
The email required the employee to fact-check some information in an attached Word document. However, upon opening the document a fake error message was displayed requesting the user to enable editing access. Complying with such a seemingly simple request is what unleashed the attack.
Although the initial infections appeared to be cleaned by the computer’s antivirus, the threat continued to wreak havoc in Heise’s systems. Two days later, firewall alerts showed that several external machines linked to Emotet were connecting to the company’s network through TCP-Port 449.
3. Kammergericht Berlin (September 2019)
It comes as no surprise that the hackers deploying Emotet malware do not hold Lady Justice in any high regard. Their attack on the Kammergericht Berlin is evidence of that. The KG is the highest state court of the German city-state, dealing with criminal and civil cases alike.
German experts from the IT Service Center warned about the Court’s network being infected by the virus on September 20th, a Friday. The Senate Department for Home Affairs followed up on the situation on September 24th and issued further warnings, but no action was taken.
The Kammergericht Berlin network containing 550 connected computers was disconnected from the state system only the following day, on September 25th. This gave Emotet ample time to spread and inflict damage.
4. Humboldt University of Berlin (October 2019)
Following the attack on the High Court in September, October 2019 saw another notable victim of Emotet. The Humboldt University in Berlin, Germany started receiving phishing emails on October 29th. According to a press release published by the school, approximately 43,000 accounts were compromised starting with early November. However, no new infections have been registered since November 14th.
Central networks and protected services were reportedly not affected by the attack. What is more, HU states that containment measures were deployed immediately after the initial incident. Computers intruded by the malware were disconnected from the network and completely reconfigured, thus stopping the threat in its tracks.
Other German universities affected by Emotet in 2019 are the Justus Liebig University in Giessen (north of Frankfurt) and the Catholic University in Freiburg (southwest Germany, near the border with France).
5. Frankfurt, Germany (December 2019)
Perhaps the most notable Emotet attack in recent history was that of the German city of Frankfurt. As a result, its entire IT network was shut down until the threat was properly mitigated. What makes this particular occurrence so striking is that the city is one of the country’s and the world’s largest economic hubs.
As a consequence, both public and private organizations suffered financial losses. However, a complete cessation of systems was the necessary step to take to stop the infection in its tracks. The costly, yet ultimately beneficial decision was taken at the advice of the Federal Office for Information Security, Germany’s cybersecurity agency.
Another German town was targeted by Emotet ransomware in December 2019, namely Bad Homburg. While all servers and computers in the region had been taken online to stop the spread of the malware, the local administration has stated that all systems are fully operational again as of December 30th, 2019.
How to Protect Your Organization Against Emotet Malware
While it might seem that the virus hasn’t changed its MO much since 2014, it is crucial to understand that the opposite its true. Through its use of DLLs, Emotet malware has managed to constantly improve its techniques and survive unphased for over five years now.
The undesirable consequences of infection include, but are not limited to:
- loss of essential data,
- interruption of daily operations,
- considerable mitigation costs,
- and a damaged reputation for your organization.
For this reason, it is important to not disregard this threat to your enterprise’s integrity, even after all these years. Below, I have listed seven quintessential points for your cybersecurity checklist that you should consider to strengthen your protection against Emotet malware. Keep reading to see what you can do, and make sure not to skip any of the following steps.
1. Use a Next-Generation Antivirus Solution for Your Enterprise
What makes Emotet malware so hard to eradicate is the fact that it was designed to evade traditional file-based antivirus detection. For this reason, you will need to install a more robust piece of software that can keep up with and protect your organization against evolved threats.
Our Thor Vigilance Enterprise is a next-generation antivirus solution with four state-of-the-art malware detection layers and live process monitoring. In addition to this, it runs in the background without slowing the machines in your network down, which is always a plus.
2. Always Apply Software Updates and Patches When Released
Vulnerabilities appear when essential software becomes obsolete. This creates holes in the system that can become points of entry for all sorts of nasty threats. Therefore, installing crucial updates as soon as they are deployed is an important step in maintaining proper cyber-hygiene in your business network.
Our Thor Foresight Enterprise offers full vulnerability and software asset management services, as well as global deployment of crucial patches as soon as they are released. What is more, it complements any existing antivirus you might run on your machines already as well. And the best part is that this all happens behind the scenes, without disrupting your employees during working hours.
Antivirus is no longer enough to keep an organization’s systems secure.
Heimdal™ Threat Prevention
threats before they reach your system.
Antivirus is no longer enough to keep an organization’s systems secure.
Together with Vigilance, Foresight can become a complete endpoint detection and response solution. Get access to both in one neat package with Thor Premium Enterprise instead, which combines all of their functionalities in one readily accessible program.
3. Train Your Employees on Phishing and Social Engineering
As a business owner, it is your responsibility to provide your personnel with proper training on the phishing and social engineering practices that make malware such as Emotet so successful. There are a few reasonable practices that should be instilled in your organization’s workplace culture from the get-go, for instance:
- not providing log-in credentials to suspicious requests,
- avoiding opening emails from unfamiliar sources,
- identifying fake branding in messages,
- checking the destination of a link before opening it,
- and always double-checking the validity of various inquiries.
Of course, these are pretty basic security procedures, but they will take you far in terms of avoiding unwanted Trojan infections. For a more advanced education on the matter, you always have the option to bring in an expert.
4. Create a Company-Wide Policy Regarding Suspicious Emails
You’ve educated your employees on how to spot illegitimate activities from a mile away. Now what? The natural continuation here is to ask yourself the following question.
Does your company have a clear policy that outlines how employees should react to suspicious messages? If your answer to this question is a confused negative, then it’s about time to consider creating one.
Any fishy incoming emails should be reported to your enterprise’s IT or security department, depending on which one would be better suited to deal with it in your particular hierarchy. In turn, they will take the necessary measures to stop any further dubious (and potentially unlawful) inquiries from reaching your network.
6. Block File Attachments That Are Associated with Malware
Another cyber-hygiene practice that you can enforce for the online safety of your business is to block email attachments containing file extensions that are most commonly associated with malware, namely .dll and .exe. Take it one step further by blocking extensions that cannot be properly scanned by your antivirus, such as .zip.
This can prevent an Emotet malware infection, as the Trojan relies on Dynamic Link Libraries in its attacks. However, it is advisable to up your security game in this direction even more., and you can find out how to do that below.
5. Employ an Email Filtering System to Keep Malspam Out
As malspam campaigns become increasingly sly, your company’s need for advanced email protection grows. A filtering system such as our MailSentry E-Mail Security can help you with that. Not only does it detect spam, but it also identifies messages that contain malicious domains, URLs, and IPs and removes malware attachments.
In addition to this, it is a complementary tool to both your pre-existing email security and Microsoft 365 E-Mail. Seeing as how Emotet has an Outlook scraper spreader module, you can see how an additional layer of protection might come in handy.
7. Practice Appropriate Privileged Access Management
Last, but certainly not least, adhering to the principle of least privilege is perhaps the safest way to prevent an Emotet malware attack. This implies that your staff has the minimum level of access needed for them to accomplish their tasks, and that administrator credentials are in the hands of a few designated individuals only.
In this way, systems will not be affected by attacks directed at employees who have limited access. Nonetheless, this can also be counterproductive, as your network’s admin can spend a lot of their time escalating and de-escalating access. On top of that, this might also mean that employees have to wait around for quite a few permissions regularly, wasting other resources in the process.
Having a tool such as Thor AdminPrivilege™ on hand is the ideal way to streamline the process and ensure everyone does their job without any unnecessary obstacles. This will give your network administrator full control of the escalation process, while at the same time providing automatic de-escalation when a threat is detected if used in tandem with our other products.
System admins waste 30% of their time manually managing user
rights or installations
Heimdal™ Privileged Access
System admins waste 30% of their time manually managing user
My Company Has Been Infected by Emotet Malware. Now What?
Against all odds and better judgment, malware infections can still occur. Has your network fallen victim to Emotet? Here’s what you need to do in terms of immediate reaction:
- Identify the infected machines and take them offline.
- Shut down the entire network temporarily if the infection rate is high.
- Do not log in using admin credentials when your system is compromised.
- Reset all passwords used or stored on the targeted devices.
- Find the source of the infection and review that particular user account.
To Sum It Up…
You might need to attempt further mitigation procedures in the eventuality of a major infection. As highlighted by Emotet’s long-standing history, repairing the damage inflicted by the Trojan when it burrows into your network can be quite expensive to deal with.
This is why I always recommend prevention as a course of action when it comes to any infection, be it malware, ransomware, or any other type of attack. Not only is it more cost-effective for your organization, but it also ensures that your sensitive data is protected in all potential scenarios. We might have a long way to go before getting rid of Emotet for good. In the meantime, being proactive is the best way to go about business.