Emotet

Cybercrime operation and malware strain

Emotet is a malware strain and a cybercrime operation believed to be based in Ukraine.^[1] The malware, also known as Heodo, was first detected in 2014 and deemed one of the most prevalent threats of the decade.^[2]^[3]^[4] In 2021, the servers used for Emotet were disrupted through global police action in Germany and Ukraine and brought under the control of law enforcement.^[4]

First versions of the Emotet malware functioned as a banking trojan aimed at stealing banking credentials from infected hosts. Throughout 2016 and 2017, Emotet operators, sometimes known as Mealybug, updated the trojan and reconfigured it to work primarily as a "loader," a type of malware that gains access to a system, and then allows its operators to download additional payloads.^[5] Second-stage payloads can be any type of executable code, from Emotet's own modules to malware developed by other cybercrime gangs.

Initial infection of target systems often proceeds through a macro virus in an email attachment. The infected email is a legitimate-appearing reply to an earlier message that was sent by the victim.^[6]

It has been widely documented that the Emotet authors have used the malware to create a botnet of infected computers to which they sell access in an Infrastructure-as-a-Service (IaaS) model, referred in the cybersecurity community as MaaS (Malware-as-a-Service), Cybercrime-as-a-Service (CaaS), or Crimeware.^[7] Emotet is known for renting access to infected computers to ransomware operations, such as the Ryuk gang.^[8]

As of September 2019, the Emotet operation ran on top of three separate botnets called Epoch 1, Epoch 2, and Epoch 3.^[9]

In July 2020, Emotet campaigns were detected globally, infecting its victims with TrickBot and Qbot, which are used to steal banking credentials and spread inside networks. Some of the malspam campaigns contained malicious documents with names such as "form.doc" or "invoice.doc". According to security researchers, the malicious document launches a PowerShell script to pull the Emotet payload from malicious websites and infected machines.^[10]

In November 2020, Emotet used parked domains to distribute payloads.^[11]

In January 2021, international action coordinated by Europol and Eurojust allowed investigators to take control of and disrupt the Emotet infrastructure.^[12] The reported action was accompanied with arrests made in Ukraine.^[13]

On 14 November 2021, new Emotet samples emerged that were very similar to the previous bot code, but with a different encryption scheme that used elliptic curve cryptography for command and control communications.^[14] The new Emotet infections were delivered via TrickBot, to computers that were previously infected with TrickBot, and soon began sending malicious spam email messages with macro-laden Microsoft Word and Excel files as payloads.^[15]

On 3 November 2022, new samples of Emotet emerged attached as a part of XLS files attached within email messages.^[16]^{[self-published source]}

Characteristics of Emotet

Distribution Method:

Emotet is typically spread via malicious email attachments or links, often disguised as invoices, payment notifications, or other business-related documents.
It leverages techniques like social engineering to trick victims into opening the email and enabling macros in the document, which then installs the malware.

Modular Structure:

Emotet acts as a delivery vehicle for other malware, often used in multi-stage attacks.
After infecting a machine, Emotet can download additional payloads, including trojans, ransomware, or data stealers.

Propagation Mechanisms:

Emotet has worm-like capabilities, allowing it to spread within a network by brute-forcing credentials or exploiting vulnerabilities.
Once inside a network, it can compromise multiple machines, significantly increasing the damage potential.

Resilience and Evasion:

It uses obfuscation techniques and regular updates to avoid detection by traditional antivirus software.
Emotet also employs Command and Control (C2) infrastructure, allowing attackers to remotely control infected systems and update the malware.

Impact and Damage:

The presence of Emotet can lead to financial theft, data breaches, ransomware infections, and disruption of IT systems, particularly in businesses and governmental organizations.^[17]

Emotet's Techniques Based on MITRE ATT&CK

According to MITRE's ATT&CK Framework, Emotet employs a variety of techniques across different stages of an attack. These techniques are part of the MITRE ATT&CK matrix, which helps categorize the tactics used by malware to achieve various objectives such as initial access, persistence, and lateral movement.^[18]

Tactic	Technique	Technique ID	Description
Initial Access	Phishing	T1566	Emotet often arrives via malicious emails containing attachments or links.
Execution	User Execution: Malicious Document	T1204.002	Requires the user to enable macros in malicious documents, typically in Microsoft Office formats.
Persistence	Registry Run Keys / Startup Folder	T1547.001	Emotet adds itself to the Windows startup folder or registry to maintain persistence.
Privilege Escalation	Exploitation of Vulnerability	T1068	Exploits known software vulnerabilities to gain higher-level privileges.
Defense Evasion	Obfuscated Files or Information	T1027	Uses obfuscation techniques to avoid detection by security tools.
Credential Access	Brute Force	T1110	Emotet attempts to brute-force passwords to gain unauthorized access to systems.
Discovery	Network Share Discovery	T1135	Emotet looks for network shares it can use to spread within an environment.
Lateral Movement	Remote Services: SMB/Windows Admin Shares	T1021.002	Uses administrative shares and SMB to move laterally across a network.
Command and Control	Application Layer Protocol: Web Protocols	T1071.001	Uses HTTP/HTTPS for communication with command and control (C2) servers.
Exfiltration	Automated Exfiltration	T1020	Emotet can automatically exfiltrate data from infected systems.

Noteworthy infections

Allentown, Pennsylvania, city located in Pennsylvania, United States (2018)^[19]^[20]
Heise Online, publishing house based in Hanover, Germany (2019)^[6]
Kammergericht Berlin, the highest court of the state of Berlin, Germany (2019)^[21]^[22]
Humboldt University of Berlin, university in Berlin, Germany (2019)^[23]
Universität Gießen, university in Germany (2019)^[24]
Department of Justice of the province of Quebec (2020)^[25]
Lithuanian government (2020)^[26]

References

^ Ikeda, Scott (August 28, 2020). "Emotet Malware Taken Down By Global Law Enforcement". Cpomagazine. Retrieved May 1, 2021.
^ "Emotet's Malpedia entry". Malpedia. January 3, 2020.
^ Ilascu, Ionut (December 24, 2019). "Emotet Reigns in Sandbox's Top Malware Threats of 2019". Bleeping Computer.
^ ^a ^b European Union Agency for Criminal Justice Cooperation (January 27, 2021). "World's most dangerous malware EMOTET disrupted through global action". Eurojust.
^ Christiaan Beek (December 6, 2017). "Emotet Downloader Trojan Returns in Force". McAfee.
^ ^a ^b Schmidt, Jürgen (June 6, 2019). "Trojaner-Befall: Emotet bei Heise" (in German). Heise Online. Retrieved November 10, 2019.
^ Brandt, Andrew (December 2, 2019). "Emotet's Central Position in the Malware Ecosystem". Sophos. Retrieved September 19, 2019.
^ "North Korean APT(?) and recent Ryuk Ransomware attacks". Kryptos Logic. January 10, 2019.
^ Cimpanu, Catalin (September 16, 2019). "Emotet, today's most dangerous botnet, comes back to life". ZDnet. Retrieved September 19, 2019.
^ "July 2020's Most Wanted Malware: Emotet Strikes Again After Five-Month Absence" (Press release). August 7, 2020.
^ "Emotet uses parked domains to distribute payloads". How To Fix Guide. October 30, 2020. Retrieved January 27, 2021.
^ "World's most dangerous malware EMOTET disrupted through global action". Europol. Retrieved January 27, 2021.
^ Cimpanu, Catalin, Authorities plan to mass-uninstall Emotet from infected hosts on March 25, 2021, zdnet, January 27, 2021
^ "Emotet botnet returns after law enforcement mass-uninstall operation". The Records. November 15, 2021. Retrieved November 20, 2021.
^ "Emotet Returns". SANS Internet Storm Center. Retrieved November 20, 2021.
^ "Cryptolaemus (@Cryptolaemus1)". Twitter. Retrieved November 7, 2022.
^ "Emotet Malware | CISA". www.cisa.gov. October 24, 2020. Retrieved September 10, 2024.
^ "Emotet, Software S0367 | MITRE ATT&CK®". attack.mitre.org. Retrieved September 10, 2024.
^ "Malware infection poised to cost $1 million to Allentown, Pa". washingtontimes.com. The Washington Times. Retrieved November 12, 2019.
^ "Emotet malware gang is mass-harvesting millions of email in mysterious campaign". ZDNet. Retrieved November 12, 2019.
^ "Emotet: Trojaner-Angriff auf Berliner Kammergericht". Der Spiegel (in German). October 4, 2019. Retrieved November 12, 2019.
^ "Emotet: Wie ein Trojaner das höchste Gericht Berlins lahmlegte". faz.net (in German). Frankfurter Allgemeine Zeitung. Retrieved November 12, 2019.
^ "Trojaner greift Netzwerk von Humboldt-Universität an". dpa (in German). Heise Online. November 9, 2019. Retrieved November 10, 2019.
^ "Trojaner-Befall: Uni Gießen nutzt Desinfec't für Aufräumarbeiten" (in German). Heise Online. December 19, 2019. Retrieved December 22, 2019.
^ Joncas, Hugo (September 12, 2020). "Les pirates informatiques ont pu voler tous les courriels". Le Journal de Montréal. Retrieved January 27, 2021.
^ "Several institutions affected by email virus in Lithuania – center". baltictimes.com. Retrieved January 27, 2021.

Hacking in the 2010s

← 2000s

Timeline

2020s →

Major incidents

2010	Operation Aurora (publication of 2009 events) Australian cyberattacks Operation Olympic Games Operation ShadowNet Operation Payback
2011	Canadian government DigiNotar DNSChanger HBGary Federal Operation AntiSec PlayStation network outage RSA SecurID compromise
2012	LinkedIn hack Stratfor email leak Operation High Roller
2013	South Korea cyberattack Snapchat hack Cyberterrorism attack of June 25 2013 Yahoo! data breach Singapore cyberattacks
2014	Anthem medical data breach Operation Tovar 2014 celebrity nude photo leak 2014 JPMorgan Chase data breach 2014 Sony Pictures hack Russian hacker password theft 2014 Yahoo! data breach
2015	Office of Personnel Management data breach Hacking Team Ashley Madison data breach VTech data breach Ukrainian Power Grid Cyberattack SWIFT banking hack
2016	Bangladesh Bank robbery Hollywood Presbyterian Medical Center ransomware incident Commission on Elections data breach Democratic National Committee cyber attacks Vietnam Airport Hacks DCCC cyber attacks Indian Bank data breaches Surkov leaks Dyn cyberattack Russian interference in the 2016 U.S. elections 2016 Bitfinex hack
2017	SHAttered 2017 Macron e-mail leaks WannaCry ransomware attack Westminster data breach Petya and NotPetya 2017 Ukraine ransomware attacks Equifax data breach Deloitte breach Disqus breach
2018	Trustico Atlanta cyberattack SingHealth data breach
2019	Sri Lanka cyberattack Baltimore ransomware attack Bulgarian revenue agency hack WhatsApp snooping scandal Jeff Bezos phone hacking incident

Hacktivism

Advanced
persistent threats

Individuals

Major vulnerabilities
publicly disclosed

Evercookie (2010)
iSeeYou (2013)
Heartbleed (2014)
Shellshock (2014)
POODLE (2014)
Rootpipe (2014)
Row hammer (2014)
SS7 vulnerabilities (2014)
WinShock (2014)
JASBUG (2015)
Stagefright (2015)
DROWN (2016)
Badlock (2016)
Dirty COW (2016)
Cloudbleed (2017)
Broadcom Wi-Fi (2017)
EternalBlue (2017)
DoublePulsar (2017)
Silent Bob is Silent (2017)
KRACK (2017)
ROCA vulnerability (2017)
BlueBorne (2017)
Meltdown (2018)
Spectre (2018)
EFAIL (2018)
Exactis (2018)
Speculative Store Bypass (2018)
Lazy FP state restore (2018)
TLBleed (2018)
SigSpoof (2018)
Foreshadow (2018)
Dragonblood (2019)
Microarchitectural Data Sampling (2019)
BlueKeep (2019)
Kr00k (2019)

Malware

2010	Bad Rabbit Black Energy 2 SpyEye Stuxnet
2011	Coreflood Alureon Duqu Kelihos Metulji botnet Stars
2012	Carna Dexter FBI Flame Mahdi Red October Shamoon
2013	CryptoLocker DarkSeoul
2014	Brambul Black Energy 3 Carbanak Careto DarkHotel Duqu 2.0 FinFisher Gameover ZeuS Regin
2015	Dridex Hidden Tear Rombertik TeslaCrypt
2016	Hitler Jigsaw KeRanger Necurs MEMZ Mirai Pegasus Petya and NotPetya X-Agent
2017	BrickerBot Kirk LogicLocker Rensenware Triton WannaCry XafeCopy
2018	VPNFilter
2019	Grum Joanap NetTraveler R2D2 Tinba Titanium ZeroAccess botnet

Hacking in the 2020s

← 2010s

Timeline

2030s →

Major incidents

2020	BlueLeaks Twitter account hijacking European Medicines Agency data breach Nintendo data leak United States federal government data breach EasyJet data breach Vastaamo data breach
2021	Microsoft Exchange Server breach Ivanti Pulse Connect Secure data breach Colonial Pipeline ransomware attack Health Service Executive ransomware attack Waikato District Health Board ransomware attack JBS S.A. ransomware attack Kaseya VSA ransomware attack Transnet ransomware attack Epik data breach FBI email hack National Rifle Association ransomware attack Banco de Oro hack
2022	Ukraine cyberattacks Red Cross data breach Anonymous and the Russian invasion of Ukraine Viasat hack DDoS attacks on Romania Costa Rican ransomware attack LastPass vault theft Shanghai police database leak Grand Theft Auto VI content leak
2023	Munster Technological University ransomware attack Evide data breach MOVEit data breach Insomniac Games data breach Polish railway cyberattack British Library cyberattack
2024	XZ Utils backdoor Kadokawa and Niconico Change Healthcare ransomware attack Ukrainian cyberattacks against Russia 2024 WazirX hack Trump campaign hack Fur Affinity domain hijacking IRLeaks attack on Iranian banks