Request a demo

Identified initially in 2014, Emotet malware has persisted in disrupting many industries. This resilient malware program delivers different malicious payloads to unsuspecting users. It has continued to push our cybersecurity posture, hunting capabilities, and response mechanisms to (hopefully) new limits in all sectors. First introduced as a banking trojan (disguised as something innocuous), Emotet has exhibited rapid growth, agility, and resilience. In fact, Emotet has continually evolved and honed its nefarious capabilities to become a MaaS (Malware-as-a-Service) offering in 2017.

Once a user has activated the program via a malicious link or macro in a downloaded attachment, the Command-and-Control (C2) infrastructure is established, and access to the target is sold to MaaS buyers. The main objectives of the services are to steal valuable information or deploy ransomware for financial gain. Europol led a collaborative effort between law enforcement agencies in the Netherlands, Germany, United States, United Kingdom, France, Lithuania, Canada, and Ukraine dubbed “Operation Ladybird” in 2021 that successfully shut down the Emotet operation for a brief time.

The re-emergence of Emotet was swift, with the adaptation of their email campaigns to include timely and realistic IRS and Covid-19 related content. The threat actors behind Emotet quickly added additional evasion techniques, C2 capabilities, and increased infection mechanisms. Emotet is polymorphic, meaning the code has logic built to evade detection. Payloads delivered by Emotet include IcedID, TrickBot, UmberCrypt, and QakBot. The actors behind Emotet have employed an agile software development lifecycle and adapted to detection mechanisms by increasing the obfuscation capabilities of the program and spreading it through a network. These characteristics make detection difficult.

Some of the more essential observations concerning Emotet are:

  • Successful phishing campaigns mimicking trusted sources are common because of the efforts to curate realistic and enticing embedded links and attachments.
  • Possible mitigations against this vulnerability include an engaging user awareness training program, identifying a secure online document-sharing solution, and investing in a spam filter tool.
  • Companies could remove attachments from corporate email, force all email formats to text only, or prohibit personal email access from the enterprise network. The company may opt to offer a secured but completely segmented network for personal devices or provide a few shared workstations for employee use. A segmented network would allow users to access personal communication while reducing the attack vector that email, and devices, can present.
  • Living Off the Land (LOL) use of .NET Framework, PowerShell, rundll32.exe, mshta.exe, and both VBA and XL4 Macros allows for Emotet, and malicious programs like it, to be challenging to detect and easily obfuscated.
  • Remediation steps to help lessen this vulnerability are threefold. Employ a highly knowledgeable Microsoft Subject Matter Expert’s (SME) guidance to help achieve a more secure posture and ensure functionality with least-privilege methodology, the identification of unneeded software or services (platform bloat), and the identification of vulnerable files and services that should have extra scrutiny. Ensure that the network and security tool stacks are configured and tuned to alert on Indicators of Compromise (IOCs) specific to Emotet.
  • .NET and PowerShell are integral to functionality on Windows Operating System (OS) platforms. .NET is used to construct applications that directly interact with the most critical OS files. PowerShell uses .NET to perform many tasks, which means that these components are readily available in the Windows OS and are not inherently suspicious. Their frequent use makes it difficult to maintain the required functionality while achieving the necessary security levels.
  • Macros are commonly used to enhance user experience and perform tasks specific to a business line. They are often found in environments that require mathematical expressions and functions, such as financial institutions.

In many companies, some processes have been established and used for years. These processes can contain End of Life (EoL), vulnerable code, or made with no security precautions in place. Macros in excel/word documents are a prime example of these processes. Often, the individual who established the process is no longer available, and the institutional knowledge has dwindled to accept the process and attempt to safeguard it as is. We often see an unwillingness to upgrade components that could impact the functionality of the process (i.e., Macro), which may result in a complete aversion to updating all software. Workload, timelines, and other pressure can inadvertently foster an environment that favors results over time-consuming security practices or documentation. An emphasis on security-based, approved processes and framework is critical, and subverting the same should not be celebrated for the sake of time saved.

When the proper steps are performed, the speed at which a task can be performed is lessened. Due diligence takes time. Tasks should be measured against the actual time they take to perform while following proper security procedures. If it takes 20 minutes to follow all policies and ensure compliance, then less time indicates a potential issue to investigate. To verify the timeframe for compliant task performance, utilize job rotation. Train another individual via official documentation and document/compare the results. Resources: VMware’s Threat Analysis Team has done a great job breaking down Emotet and exposing the threat further.

Their report can be downloaded here:

Microsoft’s Detection and Response Team has published their analysis and findings of Emotet’s enterprise-wide destruction here:

Blog byLori Brumm
Lori Brumm
Lori Brumm
Lori Brumm is a Lead Cyber Range Engineer at SimSpace. She has worked in the IT/cybersecurity field for 20 years across multiple sectors, including commercial, private, and non-profit, as well as federal and state government. A lifelong learner, Lori recently renewed her academic dedication by earning CISSP and CCSP certifications from (ISC)² as well as continuing to evolve her 2003 Associate’s in Applied Technology to a Bachelor’s in Applied Cybersecurity with SANS Technical Institute.