The Emotet malware variant, which security researchers attribute to the Mummy Spider / TA542 / Mealybug.Emotet threat actor groups, first emerged in 2014 as a banking trojan that intercepts network traffic to steal credentials. Over time, it was further commercialized as an advanced malware loader that could be leveraged widely. In addition to offering malware delivery services, Emotet operators have also commoditized infected systems as botnets on the dark web to deploy other types of malware, serve as proxy servers in cybercrimes, and deploy Distributed Denial of Service attacks (DDoS).
January 2021 Law Enforcement Disruption
Emotet resurfaced in early 2020 but was disrupted in January 2021 through a coordinated international campaign by Europol and Eurojust, involving collaboration between Dutch, German, French, Lithuanian, Canadian, UK, U.S., and Ukrainian law enforcement and judicial bodies.1 The authorities took over control of Emotet’s infrastructure and conducted a mass uninstallation of the malware using a killswitch update. Ukrainian authorities also arrested two individuals believed to be responsible for the malware and botnet’s infrastructure.
Prior to the January 2021 takedown, Emotet was considered to be one of the “most widely distributed and actively developed malware families.” Security researchers often listed Emotet as the top security threat in its monthly and annual threat indices.2
October – November 2021 Uptick in Activities
In October 2021, Emotet resurfaced once again on the malware scene through the Trickbot malware variant. Notably, security researchers observed Trickbot attempting to download dynamic link libraries (DLLs) identified as Emotet, although they noted the malware was not redistributing itself or performing spamming activities but relying instead on Trickbot for further injection.3 In addition, security architects observed an overlap in code and technique between the old and the new Emotet variants, suggesting that Emotet operators are trying to rebuild the malware to its previous notoriety. As of November 16, 2021, Bleeping Computer reported that more than 246 infected devices were acting as command and control (C2) servers for Emotet, signaling the rapid growth of Emotet’s infrastructure which can be leveraged for upcoming ransomware attacks.4
However, some security reports indicate “the only real difference is Emotet post-infection C2 is now encrypted HTTPS instead of unencrypted HTTP.”5 In addition, recent open-source reporting indicates Emotet’s command buffer increased to seven commands, whereas the previous Emotet variant used between three and four commands.6
Variant Characteristics and Functions
Emotet has historically been a polymorphic malware that is able to create modified versions of itself in every infection and evade typical signature-based detection systems. The variant spreads primarily through spam and phishing emails with malicious attachments or embedded links accompanying these emails.
Documents such as XML, PDF or macro enabled Microsoft Word documents are often attached in Emotet spam emails. Once opened, users need to “Enable Content” so that malicious macros install the malware on the endpoint of choice. In addition, Emotet uses templates that suggest the document was created in iOS and that “Enable Content” is the only way to display the message in these attachments. Once Emotet infects a client, it persists in a system via auto-start registry keys and services.
Campaigns carried out by Emotet are often disguised as legitimate corporate communications with subject lines that imply legitimate business communications from internal payroll departments, banks and/or professional services companies. Emails are crafted using spoofed or hijacked accounts with subject lines such as “Invoice,” “Purchase Order,” and “Notice.”
In 2020, Emotet was used by threat actors in large-scale COVID-19 related campaigns using emails containing malicious Word documents and fake health guidance.
In November 2021, the security researcher group @Cryptolaemus tweeted that they have observed upgraded Emotet bots delivering emails that included Microsoft Word (.docm), Microsoft Excel (.xlsm) and password-protected .zip attachments.8 The SANS Institute added that the emails distributing the malicious attachments were spoofed replies that used data from stolen email chains, potentially retrieved from previously infected Windows hosts.
Joint Campaigns with Other Variants
Emotet has primarily been a loader for other malware variants. It is known to have been used to carry out joint attack campaigns with the banking trojan Trickbot, which has the capacity to harvest valuable assets from a network, as well as open a reverse shell for operators of Ryuk and Conti ransomware. It has also been used as a loader for Qbot variant, specifically in COVID-19 malspam campaigns targeting companies in the U.S; as well as the ZLoader variant, which is believed to be related to the ZeuS banking malware family.
Following the January 2021 disruption of Emotet, threat actors appear to have turned primarily to Trickbot, which has recently been observed to install Emotet on previously infected systems.
Indicators of Compromise
The following indicators of compromise (IOCs) for Emotet were identified through open sources. The list below is not exhaustive and represents recent IOCs observed by security researchers:9 10 11
12 The above hyperlinks related to the IOCs have been modified to prevent the display of certain objectionable content that was identified in the address string. Aon recommends that users exercise caution before clicking on any hyperlink and before viewing any material through these or any third party sources as the content/information is neither controlled nor published by Aon.
Prevention and Mitigation
Due to Emotet’s historic association with ransomware groups such as Ryuk and Conti and its capabilities to take on modular changes, some countries have deemed it to be as dangerous as the ransomware groups themselves.
Aon’s Cyber Solutions and organizations such as CISA suggest the following best practices, which can be adopted by organizations to help mitigate the risks posed by Emotet and Trickbot:
- Scan for and remove suspicious email attachments. Check if the scanned attachment is its “true file type,” (i.e., the extension matches the file header).
- Block email attachments commonly associated with malware (i.e. dll and .exe) and files that cannot be scanned by antivirus software such as password-protected .zip files.
- Implement a domain-based message authentication, reporting and conformance validation system.
- Segment and segregate networks and functions.
- Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
- Disable unnecessary or inactive services on workstations and servers. Enable a firewall on workstations and configure to deny unsolicited connection requests.
- Regularly update and patch software and ensure viable data backups are accessible.
- Use filters that stop known files associated with Trickbot and Emotet from reaching users’ inboxes and use application whitelisting whereby only known programs are allowed to run.
- If a Trickbot or Emotet-infected endpoint is identified, quarantine the affected system to prevent the spread of the malware across the network, especially given its historical ability to evade anti-malware and anti-virus safeguards.
- If impacted, conduct a forensic investigation internally or through a partner service to ensure no other computers have been infected.
- To help prevent and/or mitigate any human error, train employees on techniques used to recognize a spam email, including reading email headers, and identifying errors within the email or other red flags that would grant an escalation to the IT or security team for review. Specifically, individuals should check attachments or embedded links from unknown senders who craft messages inciting urgency or exaggerated promises of reward.
- Ana Pereu, Senior Consultant, Intelligence Group
- Catarina Kim, Managing Director/Practice Leader, Intelligence Group