BACK

Emotet revisited: pervasive threat still a danger to businesses

Emotet revisited: pervasive threat still a danger to businessesOne of the most common and pervasive threats for businesses today is Emotet, a banking Trojan turned downloader that has been on our list of top 10 detections for many months in a row. Emotet, which Malwarebytes detects as Trojan.Emotet, has been leveled at consumers and organizations across …

  • 14 Mar 2019
5 min read
Emotet revisited: pervasive threat still a danger to businesses
One of the most common and pervasive threats for businesses today is Emotet, a banking Trojan turned downloader that has been on our list of top 10 detections for many months in a row. Emotet, which Malwarebytes detects as Trojan.Emotet, has been leveled at consumers and organizations across the globe, fooling users into infecting endpoints through phishing emails, and then spreading laterally through networks using stolen NSA exploits. Its modular, polymorphic form, and ability to drop multiple, changing payloads have made Emotet a thorn in the side of cybersecurity researchers and IT teams alike. Emotet first appeared on the scene as a banking Trojan, but its effective combination of persistence and network propagation has turned it into a popular infection mechanism for other forms of malware, such as TrickBot and Ryuk ransomware. It has also earned a reputation as one of the hardest-to-remediate infections once it has infiltrated an organization’s network. Emotet GraphEmotet detections March 12, 2018 – February 23, 2019 In July 2018, the US Department of Homeland Security issued a Technical Alert through CISA (Cyber-Infrastructure) about Emotet, warning that: “Emotet continues to be among the most costly and destructive malware affecting SLTT governments. Its worm-like features result in rapidly spreading network-wide infection, which are difficult to combat. Emotet infections have cost SLTT governments up to $1 million per incident to remediate.” From banking Trojan to botnet Emotet started out in 2014 as an information-stealing banking Trojan that scoured sensitive financial information from infected systems (which is the reason why Malwarebytes detects some components as Spyware.Emotet). However, over time Emotet and its business model evolved, switching from a singular threat leveled at specific targets to a botnet that distributes multiple malware payloads to industry verticals ranging from governments to schools. Emotet was designed to be modular, with each module having a designated task. One of its modules is a Trojan downloader that downloads and runs additional malware. At first, Emotet started delivering other banking Trojans on the side. However, its modular design made it easier for its authors—a group called Mealybug—to adapt the malware or swap functionality between variants. Later versions began dropping newer and more sophisticated payloads that held files for ransom, stole personally identifiable information (PII), spammed other users with phishing emails, and even cleaned out cryptocurrency wallets. All of these sidekicks were happy and eager to make use of the stubborn nature of this threat. Infection mechanism We have discussed some of the structure and flow of Emotet’s infection vectors in detail here and here by decoding an example. What most Emotet variants have in common is that the initial infection mechanism is malspam. At first, infections were initiated from Javascript files attached to emails; later, (and still true today) it was via infected Word documents that downloaded and executed the payload. A considerable portion of Emotet malspam is generated by the malware’s own spam module that sends out malicious emails to the contacts it finds
Source: Malware BytesPublished on 2019-03-14
Blog Details
  • 14 Mar 2019

Newest Articles.

View all

Get a Quote

Click below and we’ll send you a quote as soon as possible.

quote-form-pattern
  • This field is for validation purposes and should be left unchanged.

Contact Us

Click below and we’ll send you a quote as soon as possible.

quote-form-pattern
  • This field is for validation purposes and should be left unchanged.

Step 1 of 4 - Let’s get started

25%
  • Thanks for your interest in working with us. Please complete the details below and we’ll get back to you as soon as possible.

Buy Cyber Essentials

price-popup-pattern