Emotet

Emotet is a malware strain and a cybercrime operation believed to be based in Ukraine.^[1] The malware, also known as Heodo, was first detected in 2014 and deemed one of the most prevalent threats of the decade.^[2][3][4] In 2021, the servers used for Emotet were disrupted through global police action in Germany and Ukraine and brought under the control of law enforcement.^[4] Despite this disruption, Emotet resurfaced in subsequent years with new capabilities, continuing to be regarded as one of the Internet’s most persistent and adaptable threats.^[5][6]

First versions of the Emotet malware functioned as a banking trojan aimed at stealing banking credentials from infected hosts. Throughout 2016 and 2017, Emotet operators, sometimes known as Mealybug, updated the trojan and reconfigured it to work primarily as a "loader," a type of malware that gains access to a system, and then allows its operators to download additional payloads.^[7] Second-stage payloads can be any type of executable code, from Emotet's own modules to malware developed by other cybercrime gangs.

Initial infection of target systems often proceeds through a macro virus in an email attachment. The infected email is a legitimate-appearing reply to an earlier message that was sent by the victim.^[8]

It has been widely documented that the Emotet authors have used the malware to create a botnet of infected computers to which they sell access in an infrastructure as a service (IaaS) model, referred in the cybersecurity community as MaaS (malware as a service), cybercrime as a service (CaaS), or crimeware.^[9] Emotet is known for renting access to infected computers to ransomware operations, such as the Ryuk gang.^[10]

History

In 2014, Emotet was first identified as a banking trojan designed to steal banking credentials from infected hosts. Within a year or two, the malware evolved into a more versatile and dangerous threat. It transformed into a loader, allowing operators to download additional malicious payloads onto infected systems, such as the TrickBot banking trojan and Ryuk ransomware.^[5]

As of September 2019, the Emotet operation ran on top of three separate botnets called Epoch 1, Epoch 2, and Epoch 3.^[11]

In mid-2020, Emotet re-emerged after a brief hiatus, launching widespread malspam campaigns targeting organizations globally. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported over 16,000 Emotet-related alerts across federal networks between July and October.^[5] Emotet leveraged advanced evasion techniques, including polymorphic code, fileless persistence via PowerShell, lateral movement via nearby Wi-Fi networks, and email thread hijacking to increase the success of phishing attacks.^[5] Campaigns often used malicious Microsoft Word documents with filenames like "form.doc" or "invoice.doc" to deliver the initial payload via PowerShell scripts.^[12] Later in the year, Emotet operators also used parked domains to distribute malicious code.^[13]

In January 2021, international action coordinated by Europol and Eurojust allowed investigators to take control of and disrupt the Emotet infrastructure.^[14] The reported action was accompanied with arrests made in Ukraine.^[15]

On 14 November 2021, new Emotet samples emerged that were very similar to the previous bot code, but with a different encryption scheme that used elliptic curve cryptography for command and control communications.^[16] The new Emotet infections were delivered via TrickBot, to computers that were previously infected with TrickBot, and soon began sending malicious spam email messages with macro-laden Microsoft Word and Excel files as payloads.^[17]

On 3 November 2022, new samples of Emotet emerged attached as a part of XLS files attached within email messages.^{[18][self-published source]}

In March 2023, Emotet resurfaced after a four-month hiatus with a new spam campaign. Emails spoofed known contacts, addressed recipients by name, and mimicked prior threads. Attached Word documents were inflated to over 500MB using binary padding and included hidden Moby-Dick excerpts to evade detection. If macros were enabled, the document downloaded a ZIP file from a compromised site and executed a large DLL. The malware harvested credentials, sent spam, and installed secondary payloads such as TrickBot or Ryuk. Targets included organizations in Europe, Asia-Pacific, and Latin America.^[6]

In late 2023, Microsoft and the U.S. National Institute of Standards and Technology (NIST) reported that attackers were using a Windows vulnerability to distribute malware, including Emotet. The technique involved phishing emails with malicious attachments that leveraged a Windows feature known as the App Installer. To reduce the risk of exploitation, Microsoft updated the software to disable the affected functionality by default.^[19]

Noteworthy infections

• Allentown, Pennsylvania, city located in Pennsylvania, United States (2018)^[20][21]
• Heise Online, publishing house based in Hanover, Germany (2019)^[8]
• Kammergericht Berlin, the highest court of the state of Berlin, Germany (2019)^[22][23]
• Humboldt University of Berlin, university in Berlin, Germany (2019)^[24]
• Universität Gießen, university in Germany (2019)^[25]
• Department of Justice of the province of Quebec (2020)^[26]
• Lithuanian government (2020)^[27]
• Democratic National Committee, political organization in the United States (2020)^[5]
• Government entities in France, Japan, and New Zealand (2020)^[5]