Through its lifetime, Emotet has been coming in waves. It first appeared in 2014 as banking malware that attempted to infect computers and steal sensitive information. On September of last year, it was provided as Malware-as-a-Service to other malware groups. Four months after, February this year, it utilized WiFi as an additional spreading capability. After 5 months of silence, Emotet’s activity spikes up, spreading via malspams with infected attachments & embedded malicious URLs.
In its latest malspam campaign, some emails were identified to be stolen from existing victims to make it look more legitimate. Some attachments were now PDF documents with malicious links, in addition to malspams that had the common office macro attachments. A few Emotet samples were found to deliver other notorious malware such as TRICKBOT and QAKBOT.
- Delivers other malware payloads such as TRICKBOT and QAKBOT
- Steals computer data, computer name, system local, operating system (OS) version and running processes
- Steals user credentials, financial and banking information
- Steals usernames and passwords of different mail clients
- Executes backdoor commands from a remote malicious user to connect to malicious websites for sending and receiving information
- Information Theft
- Backdoor commands
- Compromise system security - with backdoor capabilities that can execute malicious commands
- Violation of user privacy - gathers and steals user credentials of various applications
Sample spam (invoice attachment)
Sample PDF (invoice document)
|Solution Modules||Solution Available||Pattern Branch||Release Date||Detection/Policy/Rules|
|Email Protection||Yes||AS Pattern 5612||44062||-|
|URL Protection||Yes||In the Cloud||-||-|
|Advanced Threat Scan Engine (ATSE)||Yes||16.177.00||44064||-|
|Predictive Learning (TrendX)||Yes||In the Cloud||-||Troj.Win32.TRX.XXPE50FFF036|
|File detection (VSAPI)||Yes||ENT OPR 16.159.00||44055||Trojan.W97M.EMOTET.TIOIBEKK|
|Network Pattern||Yes||NCCP 1.14173.00|
|44055||EMOTET - HTTP (Request) - Variants 1, 4-6|
EMOTET - HTTP (Response) – Variants 2-3
|Behavioral Monitoring (AEGIS)||Yes||TMTD OPR 2155||44053||4507T|
References and Virus Reports
- Trend Micro Threat Encyclopedia: TSPY_EMOTET
- Trend Micro Threat Encyclopedia: TSPY_EMOTET.AUSJLA
- Trend Micro Threat Encyclopedia: TSPY_EMOTET.SMD3
- Trend Micro Threat Encyclopedia: TSPY_EMOTET.AUSJKW
- Trend Micro Threat Encyclopedia: TSPY_EMOTET.AUSJKV
- Trend Micro Threat Encyclopedia: TrojanSpy.Win32.EMOTET.TIABOFCY
- Trend Micro Threat Encyclopedia: Trojan.W97M.POWLOAD.THIAHAI
- Trend Micro Threat Encyclopedia: Trojan.W97M.POWLOAD.TIOIBEFV
- Malware Awareness - EMOTET Resurgence
- Security News - Retefe Banking Malware Starts Leveraging EternalBlue
- Users are advised to be vigilant in opening attachments or emails posing as invoices. Sender email addresses must be inspected carefully before opening any attachments.
- EMOTET is also known to leverage ETERNALBLUE - a vulnerability in SMBv1 of older Windows systems. It is recommended that your systems are either patched with MS17-010 or leverage Apex One or Deep Security’s Virtual Patching and Intrusion Prevention feature:
- IPS Rules 1008224, 1008228, 1008225, 1008227 - Includes coverage for MS17-010 and some specific protection against Windows SMB remote code execution vulnerabilities
- Apex One Suspicious Connection Services should block also ETERNALBLUE related exploit traffic.
- Make sure to always use the latest pattern available to detect the old and new variants of EMOTET Malware. Please refer to the KB article on Recommendations on how to best protect your network using Trend Micro products.
- Make sure to implement our Best practice configuration for TrendMicro products. Please refer to the KB article on Ransomware: Solutions, Best Practice Configuration and Prevention using Trend Micro products.