Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

EMOTET strikes again

    • Updated:
    • 29 Sep 2020
    • Product/Version:
    • Apex One 2019
    • Apex One as a Service
    • OfficeScan 11.0
    • OfficeScan XG
    • Worry-Free Business Security Standard 10.0
    • Worry-Free Business Security Standard 9.0
    • Worry-Free Business Security Standard 9.5
    • Platform:
Summary

Through its lifetime, Emotet has been coming in waves. It first appeared in 2014 as banking malware that attempted to infect computers and steal sensitive information. On September of last year, it was provided as Malware-as-a-Service to other malware groups. Four months after, February this year, it utilized WiFi as an additional spreading capability. After 5 months of silence, Emotet’s activity spikes up, spreading via malspams with infected attachments & embedded malicious URLs.

In its latest malspam campaign, some emails were identified to be stolen from existing victims to make it look more legitimate. Some attachments were now PDF documents with malicious links, in addition to malspams that had the common office macro attachments. A few Emotet samples were found to deliver other notorious malware such as TRICKBOT and QAKBOT.

Infection Chain

Module state

Behaviors

  • Delivers other malware payloads such as TRICKBOT and QAKBOT
  • Steals computer data, computer name, system local, operating system (OS) version and running processes
  • Steals user credentials, financial and banking information
  • Steals usernames and passwords of different mail clients
  • Executes backdoor commands from a remote malicious user to connect to malicious websites for sending and receiving information

Capabilities

  • Information Theft
  • Backdoor commands

Impact

  • Compromise system security - with backdoor capabilities that can execute malicious commands
  • Violation of user privacy - gathers and steals user credentials of various applications

Sample spam (invoice attachment)

Sample PDF (invoice document)

Details
Public

Available Solutions

Solution ModulesSolution AvailablePattern BranchRelease DateDetection/Policy/Rules
Email ProtectionYesAS Pattern 561244062-
URL ProtectionYesIn the Cloud--
Advanced Threat Scan Engine (ATSE)Yes16.177.0044064-
Predictive Learning (TrendX)YesIn the Cloud-Troj.Win32.TRX.XXPE50FFF036
Downloader.VBA.TRX.XXVBAF01FF0096
File detection (VSAPI)YesENT OPR 16.159.0044055Trojan.W97M.EMOTET.TIOIBEKK
TrojanSpy.Win32.EMOTET.TIAB
TrojanSpy.Win32.EMOTET.TIABOFJV
TrojanSpy.Win32.EMOTET.TIABOFJW
Trojan.W97M.POWLOAD.SMBB69
Trojan.W97M.POWLOAD.SMAD70
TrojanSpy.Win32.EMOTET.SMC
Trojan.W97M.POWLOAD.SMAC1
Network PatternYesNCCP 1.14173.00
NCIP 1.14261.00
44055EMOTET - HTTP (Request) - Variants 1, 4-6
EMOTET - HTTP (Response) – Variants 2-3
Behavioral Monitoring (AEGIS)YesTMTD OPR 2155440534507T

References and Virus Reports

Recommendations

Premium
Internal
Partner
Rating:
Category:
Remove a Malware / Virus
Solution Id:
000274500
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.