Summary

Through its lifetime, Emotet has been coming in waves. It first appeared in 2014 as banking malware that attempted to infect computers and steal sensitive information. On September of last year, it was provided as Malware-as-a-Service to other malware groups. Four months after, February this year, it utilized WiFi as an additional spreading capability. After 5 months of silence, Emotet’s activity spikes up, spreading via malspams with infected attachments & embedded malicious URLs.

In its latest malspam campaign, some emails were identified to be stolen from existing victims to make it look more legitimate. Some attachments were now PDF documents with malicious links, in addition to malspams that had the common office macro attachments. A few Emotet samples were found to deliver other notorious malware such as TRICKBOT and QAKBOT.

Infection Chain

Behaviors

• Delivers other malware payloads such as TRICKBOT and QAKBOT
• Steals computer data, computer name, system local, operating system (OS) version and running processes
• Steals user credentials, financial and banking information
• Steals usernames and passwords of different mail clients
• Executes backdoor commands from a remote malicious user to connect to malicious websites for sending and receiving information

Capabilities

• Information Theft
• Backdoor commands

Impact

• Compromise system security - with backdoor capabilities that can execute malicious commands
• Violation of user privacy - gathers and steals user credentials of various applications

Sample spam (invoice attachment)

Sample PDF (invoice document)