What is Emotet and How Does It Spread?

Emotet, not a virus, first appeared as a banking Trojan in 2014. The attack aimed to interpret online data from German and Austrian banking customers. However, Emotet can also load and execute massive modules with other malicious functions. It strikes mainly via email and attacks private users as well as companies, hospitals, government institutions and vital infrastructure.

You may have heard the recent news about Emotet wherein Police across the UK, US, EU, and Canada have seized thousands of computers running one of the most dangerous hacking networks called Emotet botnet, and disrupted it successfully. So, what is Emotet and how does it spread?

Introduction to Emotet

It is a Trojan that primarily spreads through spam emails. It may arrive either via a malicious script, macro-enabled document files, or malicious link. Emotet emails might consist of familiar branding designed to look like a real email. And it then tries to persuade users to click the malicious files by using tempting language about an invoice, payment details or possibly an upcoming shipment from well-known courier companies.

Emotet has gone through a few iterations and its earlier versions came as a malicious JavaScript file. Later versions evolved to use macro-enabled documents to retrieve the virus payload from command and control (C&C) servers run by the cyber-attackers.

The Trojan uses some tricks to try and prevent detection and analysis. Emotet is well aware when running inside a virtual machine (VM) and will lay dormant if it detects a sandbox environment. It is a tool cybersecurity researchers use to monitor malware within a safe, controlled space.

Emotet also uses C&C servers to receive updates. It functions in the same way as the operating system updates on a PC and can occur seamlessly and without any outward signs. This enables the cyber-attackers to install updates of the software and install additional malware like other banking Trojans or to act as a dumping ground for stolen information such as financial credentials including username and password, and email address.

How does It Spread?

The primary distribution method for Emotet is through email spam (mal-spam). Emotet ransacks one’s contact list and sends it to the individual’s friends, family, co-workers, and clients. As these emails come from the hijacked email account, the emails look less like spam and the recipients, feeling safe, are more inclined to click bad URLs and download infected files.

On a connected network, it spreads using a list of common passwords and creates its way to other connected systems in a brute-force attack. If the password to the all-important human resources server is ‘password,’ Emotet may find its way there.

Researchers initially discovered that Emotet also spread using the EternalBlue/DoublePulsar vulnerabilities that were responsible for the WannaCry and NotPetya attacks. Today, it’s clear that this is not the case. What led researchers to this conclusion was that TrickBot, a Trojan frequently spread by Emotet, makes use of the EternalBlue exploit to spread itself across a given network. It was TrickBot and not Emotet, availing the EternalBlue or DoublePulsar vulnerabilities.

Possible Solutions

To protect a system effectively from Emotet, one has to primarily focus on the main gateway of the malicious program, which is email communication. There are quite a few companies that offer protection from Emotet available in the market. For instance, Hornetsecurity’s advanced threat protection offers to detect Emotet easily and prevent emails and isolate both malware programs. Besides, one can prevent Emotet attacks by following these:

• As Emotet frequently hides in MS Office files and requires macros to install malicious programs, it makes sense to not allow them. In private and business spaces, they might not be necessary. If one still cannot do it without macros, it is possible to allow those that are signed.
• Regular data backups are advised.
• Any security updates that are downloaded must be installed immediately for operating systems, anti-virus programs, web browsers, email clients and office programs.
• Company’s own network accessibility should be continuously monitored because following this way it can be determined in good time if an Emotet infection has taken place.