Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Malware Awareness - EMOTET resurges with new detections

    • Updated:
    • 7 Dec 2021
    • Product/Version:
    • Apex One
    • Apex One
    • Apex One
    • Apex One
    • Apex One as a Service
    • Apex One as a Service
    • Apex One as a Service
    • Apex One as a Service
    • Deep Discovery Inspector
    • Deep Discovery Inspector
    • Deep Discovery Inspector
    • Deep Discovery Inspector
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Interscan Messaging Security Virtual Appliance
    • Interscan Messaging Security Virtual Appliance
    • Interscan Messaging Security Virtual Appliance
    • Interscan Messaging Security Virtual Appliance
    • Interscan Messaging Security Virtual Appliance
    • Interscan Messaging Security Virtual Appliance
    • OfficeScan
    • OfficeScan
    • OfficeScan
    • OfficeScan
    • OfficeScan
    • OfficeScan
    • ScanMail for Exchange
    • ScanMail for Exchange
    • ScanMail for Exchange
    • ScanMail for Exchange
    • ScanMail for Exchange
    • ScanMail for Exchange
    • Scanmail for IBM Domino
    • Scanmail for IBM Domino
    • TippingPoint TPS
    • TippingPoint TPS
    • TippingPoint TPS
    • TippingPoint TPS
    • Worry-Free Business Security Advanced
    • Worry-Free Business Security Advanced
    • Worry-Free Business Security Advanced
    • Worry-Free Business Security Advanced
    • Worry-Free Business Security Advanced
    • Worry-Free Business Security Advanced
    • Worry-Free Business Security Standard
    • Worry-Free Business Security Standard
    • Worry-Free Business Security Standard
    • Worry-Free Business Security Standard
    • Worry-Free Business Security Standard
    • Worry-Free Business Security Standard
    • Platform:
Summary

Ten months after its massive takedown in January of 2021, Emotet is back and seeking resurgence. This malware, which first appeared in 2014 as a banking trojan, attempts to infect computers and steal sensitive information. It spreads through spam emails (Malspam) via infected attachments and embedded malicious URLs. In some of its spam campaigns, the emails commonly have a financial theme and appear to come as a reply to a previous transaction by using fake payment remittance notices, invoice attachments, or payment details.

Fast forward to November 2021, the Trickbot banking trojan was observed to download and execute updated Emotet binaries to computers previously infected with Trickbot with macro-laden Microsoft Excel, Microsoft Word, and a password-protected ZIP archive containing a Word document as payloads, marking the resurgence of the highly known sophisticated threat.

Emotet evolved multiple times over the years since 2014, and turned its operations into a successful crimeware rink. It provides Malware-as-a-Service (MaaS) to other malware groups to rent access to the Emotet-infected computers to infect them with other malware such as TRICKBOT, QBOT, and RYUK Ransomware. For this reason, it has been known to be one of the most professional and most potent cyberthreats in history.

EMOTET diagram

Details
Public

BEHAVIOR

  • Delivers more dangerous payload such as Ryuk ransomware by renting Emotet-infected machines to other malware groups.
  • Steals computer data, computer name, system local, operating system (OS) version and running processes.
  • Steals User credentials, financial and banking information.
  • Steals usernames and passwords of different mail clients.
  • Executes backdoor commands from a remote malicious user to connect to malicious websites for sending and receiving information.

CAPABILITIES

  • Information Theft: Yes
  • Rootkit Capability: Yes
  • File Infection: Yes
  • Propagation: Yes
  • Download Routine: Yes

INFECTION CHAIN

EMOTET infection chain

IMPACT

  • Compromise system security - with backdoor capabilities that can execute malicious commands.
  • Violation of user privacy - gathers and steals user credentials of various applications.

AVAILABLE SOLUTIONS

Solution ModulesSolution AvailablePattern BranchRelease DateDetection/Policy/Rules
Email ProtectionYesAS Pattern 41344-Oct-18Spam
AS Pattern 493426-Sep-19
URL ProtectionYesIn the CloudMalware Accomplice, Disease Vector, Ransomware
Predictive Learning (TrendX)YesIn the CloudBKDR.Win32.TRX.XXPE50F13005
Ransom.Win32.TRX.XXPE50FFF027
TROJ.Win32.TRX.XXPE50F13005
TROJ.Win32.TRX.XXPE50F13005R2D6F
Ransom.Win32.TRX.XXPE50F13005
Downloader.VBA.TRX.XXVBAF01FF005
Troj.Win32.TRX.XXPE50FFF031
Downloader.VBA.TRX.XXVBAF01FF005
TSPY.Win32.TRX.XXPE50FFF050E0002
File detection (VSAPI/Smart Scan) and Advanced Threat Scan Engine (ATSE)YesOPR 14.541.002-Oct-18TSPY_EMOTET.THJOBAH
TSPY_EMOTET.THOIBEAL
TSPY_EMOTET.OIBEAL
TSPY_EMOTET.THJOAAH
TSPY_EMOTET.THAOOAAH
TSPY_EMOTET.THOIBEAK
TSPY_EMOTET.OIBEAJ
TSPY_EMOTET.THIBGAH
TSPY_EMOTET.THOIBEAI
PDF_EMOTET.THIBOAH
PDF_EMOTET.THIAGAH
OPR 15.375.0020-Sep-19TrojanSpy.Win32.EMOTET.SMCRS
TrojanSpy.Win32.TRICKBOT.SMB1.hp
Trojan.W97M.POWLOAD.TIOIBEFV
TrojanSpy.Win32.EMOTET.THIAHAI
OPR 15.391.0025-Sep-19TrojanSpy.Win32.EMOTET.SMTHF
Trojan.JS.EMOTET.TIABOFCF
Trojan.W97M.EMOTET.AFKJ
Trojan.Win32.EMOTET.CFO
Trojan.XML.EMOTET.AFJO
TrojanSpy.Win32.EMOTET.THIBFAI
OPR 17.201.0019-Nov-21TrojanSpy.Win32.EMOTET.SMYXBKO
OPR 17.203.0020-Nov-21TrojanSpy.Win32.EMOTET.SMYXBKP
OPR 17.211.0024-Nov-21TrojanSpy.Win32.EMOTET.SMYXBKVZ
Behavioral Monitoring (AEGIS)YesTMTD OPR 179715-Jun-182980T
TMTD OPR 18774-Mar-19FLS.LDX.4555T
Network PatternYesHTTP_EMOTET_REQUEST-5
HTTP_EMOTET_REQUEST-4
Deep Discovery Inspector RuleYesRule 1541: EMOTET - HTTP (Request)
Rule 2608: EMOTET - HTTP (Response) - Variant 2
Rule 2701: Possible EMOTET - HTTP (Response) - Variant 3
Rule 2897: EMOTET - HTTP (Request) - Variant 4
Rule 4232: EMOTET - HTTP (Request) - Variant 5
Tippingpoint Filter RuleYes28409: HTTP: Emotet Checkin Request

RECOMMENDATIONS

For support assistance, contact Trend Micro Technical Support.

Threat Report

Blogs

Premium
Internal
Partner
Rating:
Category:
Troubleshoot; Remove a Malware / Virus; Update
Solution Id:
1118391
Feedback
Did this article help you?

Thank you for your feedback!


*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.