Emotet: the malware that disrupted the private sector for 7 years.

Lïa Desmousseaux de Givré

Lïa Desmousseaux de Givré


Emotet was originally a banking Trojan malware whose role was to discreetly infiltrate computers in order to steal sensitive information such as banking credentials. The malware carried out malicious tasks such as software deletion, copying to other physically connected devices, or file deletion.

Complete Emotet cleanup on a network could cost up to one million dollars, as was the case with the software attack on the city of Allentown in the USA.

Emotet initially spread through spam emails or malware spam.

The first step of an Emotet attack was to infiltrate as many computers as possible through massive phishing campaigns.

The emails distributed fraudulent Word documents attached to the email or downloadable by clicking on a link in the email. Once the Word document was opened, the victim had to activate macro execution. This allowed the malicious code to run and install the Emotet malware. Then, using the newly infected host, it sent new phishing emails to the victim's contacts, impersonating their identity.

To bypass email mailbox antivirus scans, the malware encrypted the infected document in a compressed ZIP archive. A password needed to open the compressed archive was included in the email body for the user to open it.

Since mailbox antivirus programs do not have the ability to interpret the text of the email body to decrypt and scan the archive, they could not verify the content of the attachments and therefore distributed them in the mailboxes.

Once inside the network, the malware spread through interconnected computers by testing a list of commonly used passwords for each one.

The software also used phishing methods, as well as the Eternal Blue and DoublePulsar vulnerabilities, just like WannaCry. These vulnerabilities were discovered and developed by the NSA to implant a backdoor in vulnerable computers. These vulnerabilities allowed Emotet to spread to an internal network of systems to infect other devices.

As we will see shortly, Emotet evolved over time and, although at first it only exfiltrated data, the malware later evolved to allow the installation of other programs such as the Trickbot banking Trojan and the Ryuk ransomware.

The first sighting of Emotet malware was in 2014. It was identified as a banking Trojan that targeted sensitive banking credentials and information on the targeted network before becoming a modular Trojan, allowing for more versatile attacks.

The first version of the malware focused on stealing information related to the victim's bank accounts. The second version included a money transfer system as well as a module that targeted German and Austrian banks.

In January 2015, a third version of Emotet was released, incorporating modifications to be more discreet and less detectable. In 2017, the software became even more formidable: it installed other malware such as TrickBot or Ryuk, creating new possibilities for the attacker.

In the LadyBird operation, authorities from several countries (Netherlands, Germany, USA, Canada, UK, France, Lithuania, and Ukraine) managed to take control of the servers used by Emotet to operate the malware. Emotet consisted of three server associations, Epoch 1, Epoch 2, and Epoch 3. The operation made 700 servers associated with Emotet unusable, helping to stem the Trojan's spread.

In January 2021, the German police (BKA) released an update on infected computers to destroy Emotet. The update contained a 32-bit DLL called "EmotetLoaderdll" that automatically disabled Emotet on compromised devices on April 25, 2021. The BKA deployed the update using the same channels that Emotet uses to spread.

MalwareBytes also confirmed the uninstallation of Emotet on their test machine, infected for threat analysis. However, this update does not uninstall other malware that has been installed via Emotet.

Emotet did not have a specific target. The software first infected as many machines as possible to impersonate individuals in phishing emails, thus facilitating its spread.

The final targets were mostly businesses and government entities in Europe and the United States.

In February 2018, Allentown, a city in Pennsylvania, suffered an Emotet attack that infected government computers and stole employee login credentials. Microsoft intervened to minimize the damage and costs to eradicate the virus. The attack cost one million dollars for a city of 120,000 inhabitants.

Emotet also infected Heise Online, a German publishing house, in May 2019. The attack vector was a simple phishing email indicating a money transfer with a business partner. An employee of the company opened an attachment contained in the email, allowing several external machines linked to Emotet to gain access to the company's network.

In September 2019, the Department of Internal Affairs of the Berlin Senate and the Kammergericht supreme court fell victim to Emotet. 550 computers had to be disconnected from the state's system because the malware was identified too late.

In July 2020, Emotet launched a series of attacks worldwide. In France, the Paris Tribunal, Orléans, and around ten academies - Tours, Nantes, Rennes, Amiens, Nancy, Strasbourg, Lyon, Grenoble, Montpellier, Toulouse, Aix-Marseille, Versailles, Paris, and Créteil - fell victim to the malware. A few months later, Air France KLM and the IT services company Umanis were also infected by Emotet.

In 2018, Symantec identified the operators behind Emotet, naming them Mealybug. The group also goes by other names: Mummy Spider, GoldCrestwood, or TA542, as mentioned in the ANSSI report. A group of anti-Emotet individuals chose to call themselves Cryptolaemus, a species of beetles that hunt scale insects.

According to Trend Micro, the operators of Emotet, Dridex, and Gozi ISFB (Ursnif) - three different malware - share a provider and may exchange resources. In fact, Gozi ISFB uses the same method of macro concealment as Emotet. The Japanese company identified this method only through Emotet and Gozi ISFB.

Qakbot or Qbot is a banking Trojan identified in 2007. It has several similarities with Emotet: the codes use the same tool to hide, encrypt, compress, or change the format of a file. Both operators used the thread hijacking technique to distribute the two codes through compromised Wordpress sites.

Based on these clues, Trend Micro suggests that the operators behind Gozi ISFB, Emotet, and Qakbot may collaborate and even be part of the same team.

Emotet is a Trojan that has managed to make a name for itself. Many articles recount its history, its operation, and its various attacks. Despite the global impact of the malware, the LadyBird operation is a great example of cooperation among different national law enforcement forces. The intervention also provides a glimpse into the fight against cybercrime. Many more attacks are likely ahead, reinforcing the relentless battle against digital threats.

Impressive is once again the ability of a Trojan horse to spread through phishing campaigns. If users had not opened and executed macros from suspicious attachments, the spread would have been much more limited.

It once again demonstrates the need to train your employees. They need to handle emails with vigilance and be responsible for the impact of their actions on company security.

Don't miss an article

No spam, ever. We'll never share your email address and you can opt out at any time.