Type to search

Emotet Trojan

The Emotet Trojan is a polymorphic banking Trojan which first was seen in 2014. The Trojan is known for its capabilities of performing spam campaigns and its powerful modules which allow it to steal credentials, read out emails and perform lateral movement on networks. The Emotet Trojan is capable of communicating with a command and control server, this means that the Bot herder is in control of each device that has been compromised via the Emotet Trojan.

The Emotet Trojan is usually spread via email, it hides itself in attachments and in some cases it also tries to lure the potential victim to install Emotet by providing malicious URLS in the email.

The malicious URLS which are seen in the email are often hosts which have been compromised, the hosts that serve the Emotet Trojan are often not aware that they have been breached.

Emotet is capable of spreading itself through networks, because once an endpoint has been infected by Emotet, the Trojan will command the infected machine to continue on the network to find vulnerable systems which can also be infected.

The Emotet Trojan will try to use network shares, it will do this by first trying to recover or brute force the local administrator password. Emotet also queries file share servers to get a view of all the endpoints which are connected to that share.

Repeated re-infections shows that the Emotet Trojan was capable of obtaining administrator credentials.

Emotet: The Trojan that just will not go away

The disruptive Emotet trojan is here to stay. Learn more about this devastating trojan now. The Emotet trojan has been designed with the main goal of acting as a banking trojan. The trojan has been developed to steal financial data.

“Emotet was First reported in Germany, Austria, and Switzerland in 2014”

blog.trendmicro.com

Infect, Move, Infect more

Emotet has been armed with code which allows it to exploit vulnerable systems. Once an endpoint has been infected with the Emotet Trojan, the malicious code will force the endpoint to perform attacks in order to gain credentials or send spam.

What is Emotet

Emotet examples

Modules in the Emotet Trojan

Banking module

The banking module in Emotet is aimed to intercept network traffic from browsers to steal banking details entered by the user.

Email client infostealer module

The sole purpose of this module is to steal credentials from email clients which are installed on the endpoint.

Browser infostealer module

This module has been crafted to steal data from the browser such as browsing history and saved passwordsThe collected information will then again be used to continue the campaign of the bot herder.

PST infostealer module

This module reads out emails in order to collect email addresses, sender names and email addresses of the emails. Once this information has been collected, it can be used for spam campaigns.

Damage after Emotet infection includes:

temporary or permanent loss of sensitive or proprietary information
disruption to regular operations
financial losses incurred to restore systems and files
potential harm to an organization’s reputation

Tips against Emotet

create regular backups
perform system hardening
patch and update your endpoints
use an antivirus

“Emotet is commonly spread by email, using infected attachments, as well as embedded URLs. These emails may appear to come from trusted sources, as Trojan.Emotet takes over the email accounts of its victims. This helps trick users into downloading the Trojan onto their machine.”

blog.malwarebytes.com/detections/trojan-emotet/

“Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans.”

www.us-cert.gov/ncas/alerts/TA18-201A

Emotet Infection Chain

1: Spam Email with malicious URL

2: URL leads to malicious macro

3: Macro downloads Emotet's loader

4: Loader downloads next stage payloads

Emotet URL structure examples

In the picture left it is visible how Emotet tries to lure unaware users with genuine looking urls to visit malicious environments. Emotet uses the keywords ‘Invoice’ to grab the victims attention.

Most of the sites that host Emotet payloads have been compromised. The administrators of those sites often do not know that they have been infected.

Thanks to

This page was combined by using information from:

  1. https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf
  2. blog.malwarebytes.com/detections/trojan-emotet/
  3. us-cert.gov/ncas/alerts/TA18-201A
  4. symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor
  5. https://urlhaus.abuse.ch/browse/tag/emotet/
  6. https://resources.malwarebytes.com/files/2019/01/Malwarebytes-Labs-2019-State-of-Malware-Report-2.pdf

Thank you

Top 10 industries affected by the Emotet Trojan

  1. Consulting
  2. Education
  3. Manufacturing
  4. Hospitality/Leisure
  5. Government
  6. Retail
  7. Transportation and logistics
  8. Chemicals
  9. Healthcare
  10. Technology