In this blog post, I will give an overview of how the malware1 Emotet works. According to the BSI2‘s report The State of IT Security in Germany in 2020, this malware was the major threat to the German state, industry, and civil society in the period between 1st June 2019 and 31st May 2020.
Overview about Emotet
In the report The State of IT Security in Germany in 2020, Horst Seehofer3 defines Emotet as a “sophisticated combination of a digital toolbox and social engineering that makes it possible to infect even professional users”. In more technical terms, Emotet is a former banking Trojan4 that now embodies a wide range of malware functions, such as harvesting information, sending unsolicited e-mails, and downloading additional malware.
Emotet distribution
Emotet is distributed via email, either as an attachment or a link. As an email attachment, the payload is usually delivered as a document file, e.g., a DOCX file, or as an image, e.g., a JPEG file. On the other hand, the malicious link delivered via email redirects to a compromised web page from which the payload is downloaded. In both cases, Emotet is then installed onto the infected computer.
Information harvesting and spreading
Once installed, Emotet collects the email communication history of the victim. This information is then used by the malware to automatically generate realistic emails that are sent in the name of the victim to his/her contacts. This means that Emotet does not need any attacker intervention to spread, which is an aspect that makes this malware very dangerous.
Downloading additional malware
Emotet also downloads other malware after successful installation. The BSI report indicates that the malware Trickbot and the ransomware Ryuk were the two payloads mainly associated with Emotet in the reporting period.
Trickbot is malware that can compromise the victim network automatically. In particular, the BSI report indicates that Trickbot has the capability of taking over the Domain Controller in Active Directory without the attacker intervention. If this happens, it is game over for the targeted company. In other less dramatic but nevertheless dangerous cases, Trickbot can set-up backdoors on the infected system in order to guarantee persistent presence within the victim’s network.
Trickbot also collects information about the victim’s computers and sends them back to the attacker. According to the BSI report, this information is then used by the attackers to decide whether to run the ransomware Ryuk on the targeted network. If the victim organization seems solvent, Ryuk is deployed simultaneously on all their accessible servers and endpoints, and often even on their backups as well.
Ransomware attack on a German town with Emotet as the point of entry
At the beginning of September 2019, the administration of a town in the district of Hanover (Lower Saxony) was the victim of a ransomware attack that used Emotet as the point of entry into their network. According to the BSI report, Emotet was likely sent to the council’s computer as an attachment in an email that looked authentic. After successful installation, the attackers deployed the Ryuk ransomware that encrypted about 550,000 files on the administration computers of this German town. As a consequence of this attack, all the council business came to a standstill. It took more than a week to take the first systems back online.
Conclusion
All in all, Emotet is malware that is used as the entry point for compromising a computer network. This malicious piece of software spreads using information harvesting and social engineering. Emotet also downloads and installs the Trickbot malware which is used to compromise and gather intel about a victim’s network. If the victim seems solvent, the attackers then deploy the ransomware Ryuk to encrypt the victim’s data and ask for a ransom.
I hope you liked this post. If you have any questions, feel free to leave a comment in the comment section. Never stop learning!