Emotet, a notorious malware classified as a Trojan Horse, first emerged in 2014 and quickly ascended to prominence as one of the most significant cyber threats of the decade, impacting over 1.6 million devices. Originally developed by the MealyBug criminal organization, Emotet was designed to pilfer banking credentials. Once it infiltrated a system, the malware could download various modules aimed at data exfiltration. Among these modules were those employing brute-force algorithms to uncover passwords stored in browsers and on the infected machines.
As Emotet evolved, its remarkable efficiency in spreading led to a reconfiguration that allowed it to act as a modular Trojan-dropper, significantly amplifying its threat level. This transformation enabled the malware to download a variety of payloads onto compromised devices, increasing its potential for damage.
In a strategic move to boost profits, the botnets created using Emotet were subsequently offered for rent on the dark web, falling into the category of Malware-as-a-Service. These infrastructures were then leased to various other criminal entities, including the notorious Ryuk cybergang. In its later iterations, Emotet functioned as a dropper, facilitating the installation of additional malware such as TrickBot, Qbot, and Conti.
The primary danger posed by Emotet lies in its polymorphic nature. This characteristic allows the malware to alter its unique fingerprint—essentially the sequence of bytes that identifies it—by encrypting its code with each new infection. This adaptability complicates detection efforts, even for traditional antivirus solutions.
How does Emotet spread?
Initially, Emotet propagated through spam emails. Upon installation, it would scour the user’s Outlook contacts, targeting individuals classified as family, friends, or colleagues. The emails, often featuring the subject line “RE:” followed by the title of a previously received message, were crafted to appear legitimate. They typically contained a Word file that prompted users to enable macros, thereby executing the hidden code and facilitating further infection.
However, the methods of Emotet’s spread are not uniform. Reports indicate that it has also been disseminated via Excel files, local area networks (LAN), and emails, often utilizing external programs and files with extensions such as (.doc, .docx, .xls, .xlsx) or password-protected .zip folders sent as attachments. In Italy, for instance, malicious emails referencing the Ministry of Economic Development and exploiting themes like the coronavirus or the recent crisis in Ukraine have been documented.
Botnets from epochs 1, 2, and 3
The criminal organization behind Emotet does not distribute the Trojan from individual computers; rather, it employs botnets—a vast network of compromised devices connected to infrastructures controlled by criminals. These networks are categorized into epochs, which denote the malware distribution botnet and its associated physical network management. Epochs 1, 2, and 3 were particularly active until 2021, when a coordinated operation involving authorities from Germany, the Netherlands, the United States, the United Kingdom, France, Lithuania, Canada, and Ukraine, facilitated by Europol and Eurojust, successfully dismantled the supporting infrastructures of these criminal networks.
This operation rendered the Trojan ineffective within infected systems, effectively neutralizing its operational capabilities and leading to the arrest of numerous cybercriminals associated with these networks. Following this, Operation LadyBird utilized Emotet’s dropper functionality to deploy a module containing an automated uninstallation procedure to all compromised computers.
The Return of the Menace: Epoch 4 and 5
In November 2021, Emotet experienced a resurgence as cybercriminal groups began reconstructing the Trojan’s networks through new spam email campaigns, giving rise to Epochs 4 and 5. The distinguishing feature of these new botnets is the incorporation of a Cobalt Strike beacon, a tool used in cybersecurity to simulate criminal activity on networks. This beacon facilitates command execution, data exfiltration, privilege escalation, and lateral movement within the network.
In this latest iteration, the Emotet payload, once the beacon is installed, seeks out domain controllers and Active Directory credentials to facilitate rapid propagation across all computers in the network, thereby accelerating the reconstruction of botnets.
Practical advice and precautions
- Stay informed about the latest information on the websites of major antivirus vendors;
- Keep operating systems and software up to date to receive timely security patches that can bolster defenses against emerging vulnerabilities;
- Utilize two-factor authentication;
- Properly configure endpoint protection;
- Educate employees about current email spam campaigns.
Network administrators may consider additional measures such as:
- Blocking email attachments that cannot be scanned by antivirus, including password-protected archives and common malware file extensions;
- Configuring email gateway-specific filters;
- Disabling or restricting the use of PowerShell to System Administrators;
- Implementing protection measures based on known attack vectors, as outlined in the ATT&CK registry, as recommended by the Italian CSIRT;
- Blocking IP addresses frequently used by cybercriminals;
- Disabling the execution of Office package macros;
- Maintaining up-to-date, network-disconnected backups.
Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.
