What is Emotet?
Originally, Emotet was a malware classified as a banking Trojan. Its role was to discreetly infiltrate computers to steal sensitive information such as banking credentials. The malware performed malicious tasks such as software deletion, copying to other physically connected devices, or file deletion.
The complete removal of Emotet from a network could cost up to a million dollars, as seen in the software attack on the city of Allentown in the USA.
Emotet initially spread through phishing emails known as "mal spam" (malware spam) or malicious software spam.
How did it work?
The first step of an Emotet attack was to infiltrate as many computers as possible through massive phishing campaigns.
The emails distributed fraudulent Word documents attached to the email or downloadable via a link in the email. Once the Word document was opened, the victim had to enable the execution of macros. Thus, the malicious code was executed to install the Emotet malware. Then, using the newly infected computer, it would send new phishing emails to the victim’s contacts by impersonating their identity.
To bypass antivirus scans on email servers, the malware encrypted the infected document in a compressed ZIP archive. A password required to open the compressed archive was included in the email body so that the user could open it.
Since email server antiviruses could not interpret the text in the email body to decrypt and scan the archive, they could not verify the contents of the attachments and therefore distributed them to inboxes.
Once on the network, the malware spread through connected computers by testing each one with a list of commonly used passwords.
In addition to phishing methods, the software also exploited the Eternal Blue and DoublePulsar vulnerabilities, just like WannaCry. These flaws were discovered and developed by the NSA to implant a backdoor into vulnerable computers. These vulnerabilities allowed Emotet to spread on an internal network of systems to infect other devices.
As we will see later, Emotet evolved over time. Although in the beginning, it only exfiltrated data, the malware later evolved to enable the installation of other programs such as the Trickbot banking Trojan and the Ryuk ransomware.
The History of Emotet
The first recording of the Emotet malware was in 2014. It was identified as a banking Trojan—targeting sensitive banking credentials and information on the targeted network—before becoming a modular Trojan, enabling more versatile attacks.
The first version of the malware aimed to steal information related to the victim's bank accounts. The second version integrated a money transfer system and a module targeting German and Austrian banks.
In January 2015, a third version of Emotet was introduced, including modifications to be more discreet and less detectable. In 2017, the software became even more dangerous: it installed other malware such as TrickBot or Ryuk, creating new possibilities for the attacker.
In an operation called LadyBird, authorities from several countries (Netherlands, Germany, USA, Canada, UK, France, Lithuania, and Ukraine) managed to take control of the servers used by Emotet to operate the malware. Emotet was composed of three server groups, Epoch 1, Epoch 2, and Epoch 3. The operation rendered 700 servers associated with Emotet inoperable, halting the Trojan's spread.
In January 2021, German police (BKA) released an update to infected computers to destroy Emotet. The update contained a 32-bit DLL named “EmotetLoaderdll,” which automatically disabled Emotet on corrupted devices on April 25, 2021. The BKA deployed the update using the same channels Emotet used to spread.
The company MalwareBytes confirmed the removal of Emotet from its test machine, which had been infected for threat analysis purposes. However, this update did not remove the other malware installed via Emotet.
Emotet’s Targets
Emotet had no specific target. The software first infected as many machines as possible to impersonate individuals in phishing emails, thereby facilitating its spread.
The final targets were mostly companies and government entities located in Europe and the United States.
In February 2018, Allentown, a city in Pennsylvania, suffered an Emotet attack that infected government computers and stole employee login credentials. Microsoft intervened to reduce the damage and the costs of eradicating the virus. The attack's damage cost one million dollars for a city of 120,000 inhabitants.
Emotet also infected Heise Online, a German publishing house, in May 2019. The attack vector was a simple phishing email indicating a money transfer with a business partner. An employee of the company opened an attachment contained in the email. The opening allowed several external machines linked to Emotet to access the company’s network.
In September 2019, the Department of Internal Affairs of the Berlin Senate, as well as the high court Kammergericht, fell victim to Emotet. 550 computers had to be disconnected from the State system because the malware was identified too late.
In July 2020, Emotet struck again with a series of attacks around the world. In France, the Paris Tribunal, Orléans, and a dozen academies—Tours, Nantes, Rennes, Amiens, Nancy, Strasbourg, Lyon, Grenoble, Montpellier, Toulouse, Aix-Marseille, Versailles, Paris, and Créteil—fell victim to the malware. A few months later, Air France KLM and the IT company Umanis were infected by Emotet.
The Operators Behind the Malware
In 2018, Symantec identified the operators behind Emotet, naming them Mealybug. The group has other names: Mummy Spider, GoldCrestwood, or TA542, as mentioned in an ANSSI report. An anti-Emotet group chose to name themselves Cryptolaemus, a species of beetle that hunts mealybugs.
According to Trend Micro, the operators of Emotet, Dridex, and Gozi ISFB (Ursnif)—three different malware—share a common provider and may exchange resources. Indeed, Gozi ISFB uses the same macro obfuscation method as Emotet. The Japanese company identified this method only in Emotet and Gozi ISFB.
Qakbot or Qbot is a banking Trojan identified in 2007. It shares several similarities with Emotet: both codes use the same tool to obfuscate a file, encrypt it, compress it, or change its format. The two operators used the thread hijacking technique to distribute both codes through compromised WordPress sites.
With these clues, Trend Micro speculates that the operators behind Gozi ISFB, Emotet, and Qakbot might collaborate and even be part of the same team.
Emotet is a Trojan that has certainly made headlines. Many articles document its history, operation, and various attacks. Despite the malware’s global impact, Operation LadyBird remains a remarkable example of cooperation among national law enforcement agencies. The intervention also gives us a glimpse of the fight against cybercrime. Many more attacks are likely ahead, intensifying this relentless battle against digital threats.
Even more impressive is the ability of a Trojan to spread through phishing campaigns. If users had not opened and executed macros from suspicious attachments, the spread would have been much more limited.
Once again, this demonstrates the need to train your employees. They must handle emails with vigilance and be responsible for the impact of their actions on the company's security.
