Jump to content

Emotet

From Wikipedia, the free encyclopedia

Emotet is a malware strain and a cybercrime operation believed to be based in Ukraine.[1] The malware, also known as Heodo, was first detected in 2014 and deemed one of the most prevalent threats of the decade.[2][3][4] In 2021, the servers used for Emotet were disrupted through global police action in Germany and Ukraine and brought under the control of law enforcement.[4] Despite this disruption, Emotet resurfaced in subsequent years with new capabilities, continuing to be regarded as one of the Internet’s most persistent and adaptable threats.[5][6]

First versions of the Emotet malware functioned as a banking trojan aimed at stealing banking credentials from infected hosts. Throughout 2016 and 2017, Emotet operators, sometimes known as Mealybug, updated the trojan and reconfigured it to work primarily as a "loader," a type of malware that gains access to a system, and then allows its operators to download additional payloads.[7] Second-stage payloads can be any type of executable code, from Emotet's own modules to malware developed by other cybercrime gangs.

Initial infection of target systems often proceeds through a macro virus in an email attachment. The infected email is a legitimate-appearing reply to an earlier message that was sent by the victim.[8]

It has been widely documented that the Emotet authors have used the malware to create a botnet of infected computers to which they sell access in an Infrastructure-as-a-Service (IaaS) model, referred in the cybersecurity community as MaaS (Malware-as-a-Service), Cybercrime-as-a-Service (CaaS), or Crimeware.[9] Emotet is known for renting access to infected computers to ransomware operations, such as the Ryuk gang.[10]

History

[edit]

In 2014, Emotet was first identified as a banking Trojan designed to steal banking credentials from infected hosts. Within a year or two, the malware evolved into a more versatile and dangerous threat. It transformed into a loader, allowing operators to download additional malicious payloads onto infected systems, such as the TrickBot banking trojan and Ryuk ransomware.[5]

As of September 2019, the Emotet operation ran on top of three separate botnets called Epoch 1, Epoch 2, and Epoch 3.[11]

In mid-2020, Emotet re-emerged after a brief hiatus, launching widespread malspam campaigns targeting organizations globally. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported over 16,000 Emotet-related alerts across federal networks between July and October.[5] Emotet leveraged advanced evasion techniques, including polymorphic code, fileless persistence via PowerShell, lateral movement via nearby Wi-Fi networks, and email thread hijacking to increase the success of phishing attacks.[5] Campaigns often used malicious Microsoft Word documents with filenames like "form.doc" or "invoice.doc" to deliver the initial payload via PowerShell scripts.[12] Later in the year, Emotet operators also used parked domains to distribute malicious code.[13]

In January 2021, international action coordinated by Europol and Eurojust allowed investigators to take control of and disrupt the Emotet infrastructure.[14] The reported action was accompanied with arrests made in Ukraine.[15]

On 14 November 2021, new Emotet samples emerged that were very similar to the previous bot code, but with a different encryption scheme that used elliptic curve cryptography for command and control communications.[16] The new Emotet infections were delivered via TrickBot, to computers that were previously infected with TrickBot, and soon began sending malicious spam email messages with macro-laden Microsoft Word and Excel files as payloads.[17]

On 3 November 2022, new samples of Emotet emerged attached as a part of XLS files attached within email messages.[18][self-published source]

In March 2023, Emotet resurfaced after a four-month hiatus with a new spam campaign. Emails spoofed known contacts, addressed recipients by name, and mimicked prior threads. Attached Word documents were inflated to over 500MB using binary padding and included hidden Moby-Dick excerpts to evade detection. If macros were enabled, the document downloaded a ZIP file from a compromised site and executed a large DLL. The malware harvested credentials, sent spam, and installed secondary payloads such as TrickBot or Ryuk. Targets included organizations in Europe, Asia-Pacific, and Latin America.[6]

In late 2023, Microsoft and the U.S. National Institute of Standards and Technology (NIST) reported that attackers were using a Windows vulnerability to distribute malware, including Emotet. The technique involved phishing emails with malicious attachments that leveraged a Windows feature known as the App Installer. To reduce the risk of exploitation, Microsoft updated the software to disable the affected functionality by default.[19]

Noteworthy infections

[edit]

References

[edit]
  1. ^ Ikeda, Scott (August 28, 2020). "Emotet Malware Taken Down By Global Law Enforcement". Cpomagazine. Retrieved May 1, 2021.
  2. ^ "Emotet's Malpedia entry". Malpedia. January 3, 2020.
  3. ^ Ilascu, Ionut (December 24, 2019). "Emotet Reigns in Sandbox's Top Malware Threats of 2019". Bleeping Computer.
  4. ^ a b European Union Agency for Criminal Justice Cooperation (January 27, 2021). "World's most dangerous malware EMOTET disrupted through global action". Eurojust.
  5. ^ a b c d e f "DHS warns that Emotet malware is one of the most prevalent threats today". Ars Technica. October 7, 2020. Retrieved April 17, 2025.
  6. ^ a b "Botnet that knows your name and quotes your email is back with new tricks". Ars Technica. March 13, 2023. Retrieved April 18, 2025.
  7. ^ Christiaan Beek (December 6, 2017). "Emotet Downloader Trojan Returns in Force". McAfee.
  8. ^ a b Schmidt, Jürgen (June 6, 2019). "Trojaner-Befall: Emotet bei Heise" (in German). Heise Online. Retrieved November 10, 2019.
  9. ^ Brandt, Andrew (December 2, 2019). "Emotet's Central Position in the Malware Ecosystem". Sophos. Retrieved September 19, 2019.
  10. ^ "North Korean APT(?) and recent Ryuk Ransomware attacks". Kryptos Logic. January 10, 2019.
  11. ^ Cimpanu, Catalin (September 16, 2019). "Emotet, today's most dangerous botnet, comes back to life". ZDnet. Retrieved September 19, 2019.
  12. ^ "July 2020's Most Wanted Malware: Emotet Strikes Again After Five-Month Absence" (Press release). August 7, 2020.
  13. ^ "Emotet uses parked domains to distribute payloads". How To Fix Guide. October 30, 2020. Retrieved January 27, 2021.
  14. ^ "World's most dangerous malware EMOTET disrupted through global action". Europol. Retrieved January 27, 2021.
  15. ^ Cimpanu, Catalin, Authorities plan to mass-uninstall Emotet from infected hosts on March 25, 2021, zdnet, January 27, 2021
  16. ^ "Emotet botnet returns after law enforcement mass-uninstall operation". The Records. November 15, 2021. Retrieved November 20, 2021.
  17. ^ "Emotet Returns". SANS Internet Storm Center. Retrieved November 20, 2021.
  18. ^ "Cryptolaemus (@Cryptolaemus1)". Twitter. Retrieved November 7, 2022.
  19. ^ "Vulnerability Change Records for CVE-2021-43890". U.S. National Institute of Standards and Technology (NIST). May 29, 2024. Retrieved April 18, 2025.
  20. ^ "Malware infection poised to cost $1 million to Allentown, Pa". washingtontimes.com. The Washington Times. Retrieved November 12, 2019.
  21. ^ "Emotet malware gang is mass-harvesting millions of email in mysterious campaign". ZDNet. Retrieved November 12, 2019.
  22. ^ "Emotet: Trojaner-Angriff auf Berliner Kammergericht". Der Spiegel (in German). October 4, 2019. Retrieved November 12, 2019.
  23. ^ "Emotet: Wie ein Trojaner das höchste Gericht Berlins lahmlegte". faz.net (in German). Frankfurter Allgemeine Zeitung. Retrieved November 12, 2019.
  24. ^ "Trojaner greift Netzwerk von Humboldt-Universität an". dpa (in German). Heise Online. November 9, 2019. Retrieved November 10, 2019.
  25. ^ "Trojaner-Befall: Uni Gießen nutzt Desinfec't für Aufräumarbeiten" (in German). Heise Online. December 19, 2019. Retrieved December 22, 2019.
  26. ^ Joncas, Hugo (September 12, 2020). "Les pirates informatiques ont pu voler tous les courriels". Le Journal de Montréal. Retrieved January 27, 2021.
  27. ^ "Several institutions affected by email virus in Lithuania – center". baltictimes.com. Retrieved January 27, 2021.
Retrieved from "https://en.wikipedia.org/w/index.php?title=Emotet&oldid=1286207677"