Emotet is a pervasive and modular credential theft trojan which has historically been leveraged by threat actors in order to collect usernames and passwords for various financial institutions. However, beginning in late 2017 Emotet ceased to operate as a traditional credential theft trojan and began operating exclusively as a downloader. In its current role, Emotet is used to download a variety of secondary payloads including (but not limited to) Trickbot, Dridex, Qakbot, Ursnif, Smoke Loader, and IcedID.
Emotet is often used for widespread phishing and spear phishing campaigns. While targeting it often very broad, Emotet has begun to implement more targeted campaigns as well.
Emotet is almost always delivered through widespread or targeted phishing campaigns. These campaigns often include either an attachment, or a link to an attachment. These attachments are typically malicious macro-enabled Microsoft Office documents (often referred to simply as ‘maldocs’), which download the initial Emotet payload (Stage 1).
The Emotet malware frequently begins its installation by first choosing a filepath based on specific system characteristics; the result will generate a filepath (including he filename) composed of a concatenation of two strings drawn from a hard coded list in the malware, all of which will be stored in %APPDATA%, %LOCAL_APPDATA%. Emotet further conceals itself by removing the Zone.Identifier alternate data stream (ADS), which is typically added to files to identify that they have been downloaded from an untrusted source (e.g. the Internet).
The Emotet malware often achieves persistence through the use of the Startup folder as defined by the %CSIDL_STARTUP% variable. Emotet will insert a weaponized LNK file into this folder linking to the actual payload.
The malware itself features a number of modules which are not written to disk, but instead are loaded directly into memory from remote, hard-coded, command and control (C2) servers. These modules expand the functionality of Emotet, and include:
Mail Password Viewer
- The Mail Password Viewer is a module which loads a version of Mail PassView, allowing the threat actor to collect stored credentials, outputting them into a comma-separated value list for later data exfiltration.
Web Browser Password Viewer
- The Web Browser Password Viewer is a module which loads a version of Web Browser PassView. This module targets a number of browser types and attempts to collect stored credentials. Browsers targeted by this module include
- Internet Explorer / Edge § Firefox
- Chrome / Chromium
- Yandex Browser
Outlook Email Details Password Viewer
- The Outlook Email Details Password Viewer module is very similar to the Mail Password Viewer, except the details are not direct outputted into a comma separated value list. Additionally, the module appears to attempt to scrape additional data from unread emails in PST files.
- The Network Spreader module allows for lateral movement. This module works through attempted brute forcing of administrator credentials using a predefined list which may have been derived from the publicly available “Top 1000” password list.
- The Spammer module allows an infected host to act as a distribution mechanism for further infections using malicious Unsolicited Bulk Email (UBE). This module is typically only delivered after an infection has persisted for a significant period of time, and typically only after the threat actors have validated that it is not blocked by existing anti-spam services.
- The Proxy module, which was first identified in 2018, attempts to configure the infected system as an Internet-accessible proxy. If the device does not have an externally routable IP address, the Emotet module will attempt to reconfigure the router/firewall in front of the device with a rule utilizing Universal Plug and Play (UPnP) to make the device Internet-accessible.
Threat Update – Sept 2022
Emotet Threat Summary
Additional hunt packages have been released pertaining to Emotet, spawning from the DFIR report released on September 12, 2022 (Dead or Alive? An Emotet Story). One package focuses on the identification of ADFind.exe being abused to stage data before potential exfiltration. Another package focuses on excessive processes being executed, which is observed with multiple process injections into svchost.exe with discovery commands. Also included is a package highlighting the identification of arguments associated with malicious Rclone activity used to exfiltrate data. Furthermore, a new package centering on the observed malicious installation of the AteraAgent can be found within the collection as well, which centers on the agent being abused by attackers to gain interactive remote access.