The Emotet banking Trojan was first identified by security researchers in 2014. Emotet was originally designed as a banking malware that attempted to sneak onto your computer and steal confidential and private information. Spam and malware delivery services, including other banking Trojans, were added in later versions of the software.
Emotet uses functions that help the software to evade detection by some anti-malware products. Emotet uses worm-like capabilities to help it spread to other connected computers. This helps the distribution of the malware. This functionality has led the United States Department of Homeland Security to conclude that Emotet is one of the most expensive and destructive malware, affecting government and private sectors, individuals and organizations, and whose cleaning per incident costs more than 1 million dollars.
What is Emotet?
Emotet is a Trojan that spreads mainly through spam emails. The infection can arrive through malicious scripts, macro-enabled document files, or malicious links. Emotet emails may contain well-known brand images designed to look like legitimate email. This can may try to persuade users to click on malicious files using tempting language about “Your invoice”, “Payment information” or possibly an upcoming shipment from well-known courier companies.
It uses a number of tricks to try to avoid detection and analysis. Emotet is polymorphic, which means that it can change on its own every time it is downloaded and avoid signature-based detection. Additionally, It knows if it is running inside a virtual machine (VM) and will remain idle if it detects a sandbox environment.
Also uses C&C servers to receive updates. This works in the same way as operating system updates on your PC and can happen smoothly and without any external signs. This allows attackers to install updated versions of the software, install additional malware such as other banking Trojans, or act as a dump for stolen information, such as financial credentials, usernames and passwords, and email addresses. Another method that Emotet uses to spread is through the EternalBlue / DoublePulsar vulnerabilities, which were responsible for the WannaCry and NotPetya attacks. These attacks take advantage of vulnerabilities in Windows that can allow malware to be installed without human interaction.
