Ten months after its massive takedown in January of 2021, Emotet is back and seeking resurgence. This malware, which first appeared in 2014 as a banking trojan, attempts to infect computers and steal sensitive information. It spreads through spam emails (Malspam) via infected attachments and embedded malicious URLs. In some of its spam campaigns, the emails commonly have a financial theme and appear to come as a reply to a previous transaction by using fake payment remittance notices, invoice attachments, or payment details.
Fast forward to November 2021, the Trickbot banking trojan was observed to download and execute updated Emotet binaries to computers previously infected with Trickbot with macro-laden Microsoft Excel, Microsoft Word, and a password-protected ZIP archive containing a Word document as payloads, marking the resurgence of the highly known sophisticated threat.
Emotet evolved multiple times over the years since 2014, and turned its operations into a successful crimeware rink. It provides Malware-as-a-Service (MaaS) to other malware groups to rent access to the Emotet-infected computers to infect them with other malware such as TRICKBOT, QBOT, and RYUK Ransomware. For this reason, it has been known to be one of the most professional and most potent cyberthreats in history.
BEHAVIOR
- Delivers more dangerous payload such as Ryuk ransomware by renting Emotet-infected machines to other malware groups.
- Steals computer data, computer name, system local, operating system (OS) version and running processes.
- Steals User credentials, financial and banking information.
- Steals usernames and passwords of different mail clients.
- Executes backdoor commands from a remote malicious user to connect to malicious websites for sending and receiving information.
CAPABILITIES
- Information Theft: Yes
- Rootkit Capability: Yes
- File Infection: Yes
- Propagation: Yes
- Download Routine: Yes
INFECTION CHAIN
IMPACT
- Compromise system security - with backdoor capabilities that can execute malicious commands.
- Violation of user privacy - gathers and steals user credentials of various applications.
AVAILABLE SOLUTIONS
| Solution Modules | Solution Available | Pattern Branch | Release Date | Detection/Policy/Rules |
|---|---|---|---|---|
| Email Protection | Yes | AS Pattern 4134 | 4-Oct-18 | Spam |
| AS Pattern 4934 | 26-Sep-19 | |||
| URL Protection | Yes | In the Cloud | Malware Accomplice, Disease Vector, Ransomware | |
| Predictive Learning (TrendX) | Yes | In the Cloud | BKDR.Win32.TRX.XXPE50F13005 | |
| Ransom.Win32.TRX.XXPE50FFF027 | ||||
| TROJ.Win32.TRX.XXPE50F13005 | ||||
| TROJ.Win32.TRX.XXPE50F13005R2D6F | ||||
| Ransom.Win32.TRX.XXPE50F13005 | ||||
| Downloader.VBA.TRX.XXVBAF01FF005 | ||||
| Troj.Win32.TRX.XXPE50FFF031 | ||||
| Downloader.VBA.TRX.XXVBAF01FF005 | ||||
| TSPY.Win32.TRX.XXPE50FFF050E0002 | ||||
| File detection (VSAPI/Smart Scan) and Advanced Threat Scan Engine (ATSE) | Yes | OPR 14.541.00 | 2-Oct-18 | TSPY_EMOTET.THJOBAH |
| TSPY_EMOTET.THOIBEAL | ||||
| TSPY_EMOTET.OIBEAL | ||||
| TSPY_EMOTET.THJOAAH | ||||
| TSPY_EMOTET.THAOOAAH | ||||
| TSPY_EMOTET.THOIBEAK | ||||
| TSPY_EMOTET.OIBEAJ | ||||
| TSPY_EMOTET.THIBGAH | ||||
| TSPY_EMOTET.THOIBEAI | ||||
| PDF_EMOTET.THIBOAH | ||||
| PDF_EMOTET.THIAGAH | ||||
| OPR 15.375.00 | 20-Sep-19 | TrojanSpy.Win32.EMOTET.SMCRS | ||
| TrojanSpy.Win32.TRICKBOT.SMB1.hp | ||||
| Trojan.W97M.POWLOAD.TIOIBEFV | ||||
| TrojanSpy.Win32.EMOTET.THIAHAI | ||||
| OPR 15.391.00 | 25-Sep-19 | TrojanSpy.Win32.EMOTET.SMTHF | ||
| Trojan.JS.EMOTET.TIABOFCF | ||||
| Trojan.W97M.EMOTET.AFKJ | ||||
| Trojan.Win32.EMOTET.CFO | ||||
| Trojan.XML.EMOTET.AFJO | ||||
| TrojanSpy.Win32.EMOTET.THIBFAI | ||||
| OPR 17.201.00 | 19-Nov-21 | TrojanSpy.Win32.EMOTET.SMYXBKO | ||
| OPR 17.203.00 | 20-Nov-21 | TrojanSpy.Win32.EMOTET.SMYXBKP | ||
| OPR 17.211.00 | 24-Nov-21 | TrojanSpy.Win32.EMOTET.SMYXBKVZ | ||
| Behavioral Monitoring (AEGIS) | Yes | TMTD OPR 1797 | 15-Jun-18 | 2980T |
| TMTD OPR 1877 | 4-Mar-19 | FLS.LDX.4555T | ||
| Network Pattern | Yes | HTTP_EMOTET_REQUEST-5 | ||
| HTTP_EMOTET_REQUEST-4 | ||||
| Deep Discovery Inspector Rule | Yes | Rule 1541: EMOTET - HTTP (Request) | ||
| Rule 2608: EMOTET - HTTP (Response) - Variant 2 | ||||
| Rule 2701: Possible EMOTET - HTTP (Response) - Variant 3 | ||||
| Rule 2897: EMOTET - HTTP (Request) - Variant 4 | ||||
| Rule 4232: EMOTET - HTTP (Request) - Variant 5 | ||||
| Tippingpoint Filter Rule | Yes | 28409: HTTP: Emotet Checkin Request | ||
RECOMMENDATIONS
-
Make sure to always use the latest pattern available to detect the old and new variants of EMOTET Malware. Please refer to the KB article on Recommendations on how to best protect your network using Trend Micro products.
- Make sure to implement our Best practice configuration for TrendMicro products. Please refer to the KB article on Ransomware: Solutions, Best Practice Configuration and Prevention using Trend Micro products.
- You may also check the article on Submitting suspicious or undetected viruses for file analysis to Technical Support.
For support assistance, contact Trend Micro Technical Support.
Threat Report
- Trend Micro Threat Encyclopedia: TSPY_EMOTET
- Trend Micro Threat Encyclopedia: TSPY_EMOTET.AUSJLA
- Trend Micro Threat Encyclopedia: TSPY_EMOTET.SMD3
- Trend Micro Threat Encyclopedia: TSPY_EMOTET.AUSJKW
- Trend Micro Threat Encyclopedia: TSPY_EMOTET.AUSJKV
- Trend Micro Threat Encyclopedia: TrojanSpy.Win32.EMOTET.TIABOFCY
- Trend Micro Threat Encyclopedia: Trojan.W97M.POWLOAD.THIAHAI
- Trend Micro Threat Encyclopedia: Trojan.W97M.POWLOAD.TIOIBEFV
Blogs
- Emotet adds new evasion techniques and uses connected devices as proxy servers
- Emotet distributed ransomware loader for nozelesn found via manage detection and response
- Ursnif Emotet and Dridex and Bitpaymer gangs links by a similar loader
- Exploring Emotet examining Emotet activities infrastructure
- New Emote hijacks Windows API evades sandbox analysis
- Emotet returns start spreading via spam botnet
