Emotet Malware Over the Years: The History of an Active Cyber-Threat

[harlan4096]

What Is Emotet Malware and How Can You Stop It? Protecting Your Business from the Most Resilient Trojan Out There

Malware strains come and go while Internet users become more and more accustomed to online threats being dealt with swiftly by the competent authorities. But what happens when a Trojan constantly eludes everyone’s best efforts to stop it in its tracks?
 
In this article, I will go over the complex history of one of the longest-running cybercrime operations in recent history, Emotet. Keep reading to find out what it is, how it operates, and what it uses to take control of an entire network. And if you want to find out what you can do to protect your organization against this still active threat, stay tuned until the end.

What Is Emotet Malware?

Emotet belongs to the malware strain known as banking Trojans. It primarily spreads through malspam, which are spam emails that contain malware (hence the term). These messages often contain familiar branding, mimicking the email format of well-known and trusted companies such as PayPal or DHL to convince users.

Through this medium, the infection may be delivered in several ways:

• malicious scripts,
  
• phishing links,
  
• or macro-enabled document files.
  

The cunning virus with worm-like capabilities was first identified by Joie Salvio, an experienced threat analyst.

The actor behind Emotet is a hacker group known as Mealybug. Since starting in 2014 with the first and simplest version of the Trojan, they have turned their operation into a successful crimeware rink that provides Malware-as-a-Service (MaaS).

The group achieved this by creating a botnet of infected computers on Emotet malware infrastructure, which they then sold access to. The botnet runs from three clusters of servers known as Epoch 1, Epoch 2, and Epoch 3. They rented this framework to various ransomware ventures, including the infamous Ryuk gang.

While Mealybug profit from their malicious leasing scheme, huge financial strain is put on their victims when they try to mitigate attacks.

According to a cybersecurity alert put out by the Department of Homeland Security in July 2018,
 

Emotet continues to be among the most costly and destructive malware affecting SLTT governments. Its worm-like features result in rapidly spreading network-wide infection, which are difficult to combat. Emotet infections have cost SLTT governments up to $1 million per incident to remediate.

How Does Emotet Malware Operate?

When Joie Salvio first documented Emotet malware in 2014, the malware was at its first and most standard version. Spreading through malspam, the nasty emails that contained it usually posed as shipping invoices or bank transfer details, persuading users to click on various links. At first, its targets consisted mainly of small German and Austrian banks, as well as their respective customers.

Once the user takes the bait and the virus enters the network, it proceeds to download its components. These include a configuration file containing details about the victims, as well as a .DLL (Dynamic Link Library) that is injected into all system processes. The latter is responsible for the intercepting and logging of outgoing traffic, a practice known in the cybersecurity world as “network sniffing”.

When the .dll file is inoculated into a browser, it compares the user’s input with its configuration. If the website is a match, it proceeds to save it and steal your data. This can happen even if you are accessing a secure HTTPS connection.

The website components Emotet downloads are stored in separate encrypted registry entries, which is something regular users seldom check. Malicious activity can thus fall through the cracks, as well as evade file-based antivirus detection.

As far as the original report on the virus is concerned, what is most notable is the worm’s sophistication. However, as time went on, Emotet malware became even more refined in its infection techniques. A technical alert issued by the Multi-State Information Sharing & Analysis Center (MS-ISAC) in collaboration with the National Cybersecurity and Communications Integration Center (NCCIC) in 2018 established that its MO is mainly as a dropper of other banking Trojans.

What is more, it seems that Emotet adapted and evolved over the years, constantly escaping detection and managing to thrive. In the same document, the virus is described as being a:
 

polymorphic banking Trojan that can evade typical signature-based detection.  It has several methods for maintaining persistence, including auto-start registry keys and services. It uses modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities.

Furthermore, Emotet is Virtual Machine-aware and can generate false indicators if run in a virtual environment.

How Does Emotet Malware Spread?

Emotet malware infiltrates computers through a network spreader component which consists of several spreader modules. Five known spreader modules power the malware as per the findings of the aforementioned and quoted technical alert:

• NetPass.exe, a legitimate password recovery tool developed by NirSoft. It can retrieve all passwords stored in a system for a logged-in user, as well as those kept on external drives.
  
• WebBrowserPassView, another password recovery tool that operates in most known web browsers. The list includes Google Chrome, Internet Explorer, Mozilla Firefox, Opera, and Safari.
  
• MailPassView, a third password recovery tool that gathers information from popular email providers such as Gmail, Microsoft Outlook, Hotmail, Yahoo! Mail, Windows Mail, and Mozilla Thunderbird.
  
• Outlook scraper, a malicious utility that scrapes credentials from the users’ Outlook accounts and uses this info to send out further phishing emails.
  
• A credential enumerator, which is a self-extracting archived .RAR file composed of a service component and a bypass component. By harnessing information collected by the four modules mentioned above, it either tries to brute force access accounts or locate writable share drives with the help of Server Message Block (SMB). When it eventually finds an available system, it writes the Emotet service component onto the network, which infects the entire disk.
  

...

Continue Reading