A Closer Look at the Emotet Banking Trojan

Banking trojans can be one of the most financially damaging pieces of malware to infect computers. Banking trojans are typically seen as any piece of malicious software designed to gain access to confidential information related to the victim’s banking and activities with other financial institutions. They may appear as a legitimate piece of software and can be downloaded accidentally via a spam email campaign. Once installed, these trojans have a number of features designed to better carry out their mission, including running executable files, downloading and sending files remotely, accessing information from the OS’s clipboard, accessing browser history and cookies and logging keystrokes.

Once a machine is infected, exposing credentials to banking sites and now cryptocurrency exchanges, the attacker can fraudulently steal funds and cryptocurrency from the victim. Even if no funds are stolen, costs associated with removing the infection can be in the millions of dollars. Emotet is one of these threats; it has risen to prominence through multiple upgrades and the constant adoption of new tactics to better guarantee infection.

What is Emotet?

Emotet was discovered by security researchers in 2014. Initially, the malware was designed to sneak onto a target computer, bypass security software and steal banking credentials. Later versions include other malware strains such as ransomware to further extort money from victims and worm-like capabilities to allow for lateral spread across a network once one computer is infected. This led to the U.S. Department of Homeland Security concluding that Emotet posed a significant threat to government departments, private organizations and individuals. It also said Emotet has risen to become one of the most costly and destructive pieces of malware currently being operated.

Typically, Emotet was spread via spam email campaigns, with the infection occurring via a malicious script, macro-enabled document files or malicious link. These emails are tailored using social engineering techniques to get the user to click or download the malware. Emails often had a subject line such as “Your Invoice” or parcel delivery information from reputed courier companies to trick the user into clicking a malicious link. Early versions of the malware were dependent on a malicious JavaScript file running, while later versions used macro-enabled documents to retrieve the malicious payload via command and control servers under the attacker’s control.

Over the years, tactics evolved, including how the malware evades detection and analysis by anti-virus software packages. Emotet knows if it is running in a virtual machine; if so, it will remain dormant. Virtual machines are used by security researchers to study malware and how it operates in a safe and secure way. Emotet effectively prevents such analysis from happening. Later versions were also capable of receiving updates directly from the command and control servers in much the same way legitimate software rolls out updates.

Emotet’s Distribution Under the Microscope

As noted, Emotet typically is distributed by spam email campaigns, but it also can hijack already compromised email accounts. The malware then sends spam emails to other addresses found on the infected machine’s contact list. Recipients of these spam messages may be more inclined to open the email and click on a malicious link or open a malicious document. If Emotet detects that the infected machine is connected to a network, it will attempt to infect the servers connected to the network through a brute force attack. This attack technique uses lists of passwords and usernames, often default login credentials, to break into a network by submitting the credentials until the right one is found and access granted.

As a testament to Emotet’s tricky nature, it was initially believed it was spread via the leaked NSA tools known as Double Pulsar and Eternal Blue. These tools were used to spread WannaCry and NotPetya around the same time newer versions of Emotet was discovered, and how new machines were infected appeared similar at first glance. It was later discovered that TrickBot, another trojan, was used to distribute Emotet and exploit EternalBlue. Once TrickBot successfully infected a network, it would later drop Emotet along with other malware strains.

A new Emotet campaign was discovered Sept. 16 using a new distribution method. After several months of inactivity, Emotet’s command and control servers once again fired up. This time Emotet returned to spam emails, but rather than looking like an email from a reputable organization, it now included a copy of a book, “Permanent Record” by Edward Snowden. Researchers discovered these Snowden-themed emails targeting English, Italian, German, French and Spanish speakers.

Once the user attempts to open what they expect to be the popular book, they are greeted with an error message complete with an official-looking Microsoft Word logo stating, “Word hasn’t been activated,” and to continue using the service the user needs to click the Enable Content button. If the button is indeed clicked, macros are enabled, which executes a PowerShell command and attempts to download Emotet from one of the three embedded URLs. Once successfully downloaded, the trojan will run quietly in the background and install other malware specimens.

A History of Changing Tactics

Since Emotet’s discovery in 2014, the banking trojan has continually evolved to keep stealing credentials and funds from victims. The first version of Emotet, which is barely similar to later versions, was designed to steal banking credentials via intercepting internet traffic. Shortly after the first version began turning users to victims, a second version emerged that included several new features that drastically increased Emotet’s danger: a money transfer system, malspam module for distributing spam mail to addresses in the contacts list and a banking module that targeted a variety of German and Austrian banks. Obviously, the operators of Emotet realized they were onto a good thing and, by January 2015, a new version was discovered that included improved stealth capabilities and the capability to target Swiss banks within the banking module.

Email distributing emotet
Screenshot of a spam email distributing Emotet trojan

From 2015 to 2018, Emotet activity would rise and fall with little in the way of significant updates to the malware. In 2019, the malware would make international headlines when Lake City, Florida, became the latest high-profile victim. Emotet was used as the primary infection vector so that ransomware and other trojans could be dropped in payloads at a later time. In this instance, the Ryuk ransomware was dropped, resulting in an infection that would cost the city nearly $500,000 in ransom payments.

Along with the distribution campaign masquerading as Edward Snowden’s book, a campaign was detected in August 2019 with botnets distributing spam emails again, complete with malicious attachments designed to trick users into enabling macros. Another campaign, which was discovered shortly after the one in August, targeted German, Polish, Italian and English speakers and downloaded from compromised WordPress websites.

Emotet’s Targets

As mentioned above, the Department of Homeland Security stated that government departments, companies and individuals are all seen as targets for the malware’s operators. Emotet can target any computer with an internet connection or network connection because they specifically tailor campaigns. When targeting a business, the spam emails will be written to pretend to be an invoice or delivery information. With individuals, the spam mail could be a malicious attachment masquerading as a book or anything popular.

With Emotet’s ability to not only steal banking credentials but also deploy ransomware, the threat to potential targets is effectively increased exponentially. Further, Emotet targets banking credentials and is capable of stealing cryptocurrency wallet addresses or replacing addresses within wallets under the control of the operators. The success of Emotet has also allowed the operators to target not only German-speaking countries and their banks; newer campaigns target Canadian, British and American organizations and individuals.

Emotet email attachment (Macros)
Screenshot of a malicious email attachment distributing Emotet

Protecting Yourself and Your Organization

In addition to making sure you have a reputable anti-virus package installed, there are a few things you can do to greater increase your security posture. These include:

  • Keep your operating system and software up-to-date. Emotet infections have been linked to TrickBot infections exploiting vulnerabilities. Keeping software up-to-date will prevent attackers from using this infection vector.
  • Avoid downloading or clicking malicious links. Given Emotet’s favored tactic of using a Word document loaded with malicious macros, never enable macros or click buttons that enable macros. If such an email is discovered within an organization, contact those responsible for the organization’s cybersecurity.
  • Never use default passwords or weak passwords. This will help prevent falling victim to brute force attacks or credential stuffing attacks. Further, enable two-factor authentication wherever possible, especially when it comes to online banking channels and other financial channels.

Conclusion

Given that Emotet has been active since 2014 and has constantly evolved, it’s going to be around for a while. Its authors have adopted a variety of techniques and tactics that are keeping researchers on their toes. There is no indication that this going to slow. Therefore, users of all kinds need to educate themselves about the multiple threats posed by Emotet and its partners in crime, Ryuk and TrickBot.

To further illustrate this point of defense through education, the City of Allentown, Pennsylvania, became a high-profile victim of Emotet in 2018. The city enlisted the help of Microsoft’s incident response team to help nullify and clean the infection. It was mitigated but not without cost: It was estimated that the city had to fork out close to $1 million to deal with the infection. There is always something to be said about prevention is better than cure.

Tomas Meskauskas

Avatar photo

Tomas Meskauskas

Tomas Meskauskas - Internet security expert, editor of pcrisk.com website, co-founder of Mac anti-malware application Combo Cleaner.

tomas-meskauskas has 22 posts and counting.See all posts by tomas-meskauskas

One thought on “A Closer Look at the Emotet Banking Trojan

Comments are closed.