Once a run-of-the-mill banking trojan, Emotet is evolved into a full-fledged malware distribution tool.
Emotet has sat in the background for years. This tactic has served it well.
Quite often in the threat landscape, the stories that grab the headlines are the ones that do something new or novel: a vulnerability is discovered that impacts a large quantity of devices, or an attack against a major organization comes to light.
However, some of the most prevalent threats aren’t the ones that steal the limelight. They may rely on tried and tested methods, rather than the latest and greatest techniques. And this plays into the hands of attackers. Something that can fly under the radar has the potential to grow, where a more attention-grabbing counterpart may not.
Emotet is a perfect example of this. While the headlines have been filled with discussions of threats like WannaCry and NotPetya, Emotet has sat in the background for years. This tactic has served it well as it has grown to become one of today’s most successful threat families.
Emotet’s success lies in the way it has evolved. From “humble” beginnings as a banking trojan, the threat actors quickly pivoted into making the threat a modular platform capable of carrying out a variety of different attacks. Fast forward to today, and other threat families once seen as competitors now use it to spread their wares. And as the threat landscape shifts once again, Emotet appears to be rising to the top of everyone’s radar.
When Emotet first arrived on the scene, it was one of several banking trojans. The threat was delivered through spam campaigns, generally using invoice- or payment-themed spam emails. It was often attached as macro-enabled Office documents, JavaScript files, or included as a malicious link. The distribution techniques varied, though many of the campaigns targeted banks in specific regions — in particular, German-speaking countries in Europe and the US.
At first the threat was chiefly focused on stealing banking information: user names, passwords, email addresses, and other financial details. As time went on, Emotet began to spread to a more general audience. A new version of the threat laid the groundwork for the modular configuration we see today, containing different tools for different functions. Some modules steal email credentials, while others focus on user names and passwords stored in the browser. Some provide distributed denial-of-service (DDoS) capabilities, while others can distribute ransomware.
One theme we see woven throughout most of today’s major threats is email. It remains the most popular infection vector for threat actors to spread their wares, and it will likely remain that way in the near future.
Take a look at Emotet, for instance. Week after week, the attackers behind this threat crank out new phishing campaigns.
The same applies to malicious cryptomining, where spam campaigns consistently trick users into downloading the miners onto their computers.
And in terms of mobile device management (MDM) threats, it seems plausible that the attacks began through socially engineered email.
It’s not surprising either, given the convincing design of many phishing emails, especially viewed on a mobile phone. And to a busy user, the risk and urgency conveyed by the mail could lead the recipient to take immediate action, overlooking the telltale signs of a threat in waiting.
It’s no wonder attackers continue to turn to email to help spread their malware.
Figure 1 sample spam email from Emotet
The primary purpose of Emotet is to discover a way to monetize the compromised computer, which is where the modules come in. It appears as though the modules installed on a particular device depend on how they can best monetize the infected device. Consider the following scenarios:
Does the computer browser history show frequent visits to banking websites? Deploy banking modules to steal credentials and transfer money.
Is the device a top-of-the-line laptop, more than likely indicating the target has disposable income? Deploy malware distribution modules and install ransomware or cryptomining software.
Is the machine a server on a high-bandwidth network? Install modules for email and network distribution and spread Emotet further.
What really sets Emotet apart from many threats in today’s threat landscape is not just its reach and modularity, but that the actors behind the threat appear to be shopping it around as a distribution channel for other attack groups.
For instance, we’ve observed situations where Emotet infects a computer only to drop Trickbot onto the system as the payload. In this seemingly contradictory case, Emotet, which has a well-known reputation as a banking trojan, is actually dropping another banking trojan instead of utilizing its own information-stealing modules. Even more interesting is that Trickbot, after being dropped by Emotet, sometimes drops the Ryuk ransomware.
As strange as this may seem, it appears that cooperation between groups could simply come down to the fact that working together leads to the largest paychecks. If Emotet can’t utilize a device to spread further, Trickbot can steal the banking records. If no banking records are found, Ryuk can encrypt the device and demand a ransom. Of course, how long this unholy alliance lasts is anybody’s guess.
Of course, a threat that grows rarely stays under the radar. In the last couple months of 2018, the security industry began to sit up and take notice of the size of Emotet. What has raised its profile is that email spam distributors appear to have shifted from cryptomining payloads to distributing Emotet and remote access trojans (RATs). And its impact is being felt. In fact, some Emotet infections have cost up to $1 million to clean up, according to US-CERT.
Emotet is unlikely to fade away and may very well dominate the threat landscape for the foreseeable future. And if the past is any predictor of the future, Emotet will eventually subside, only to be replaced by another dominant player in the threat landscape.
The actors behind Emotet appear to be shopping it around as a distribution channel for other attack groups.
https://blog.talosintelligence.com/20 19/01/return-of-emotet.html https://www.us-cert.gov/ncas/alerts/TA18-201A https://duo.com/decipher/the-unholy-alliance- of-emotet-trickbot-and-the-ryuk-ransomware https://blog.talosintelligence.com/201 8/12/cryptocurrency-future-2018.html