First discovered and classified by security researchers back in 2014, Emotet is a type of malware known as a banking Trojan. Its original design intended it to be used to infiltrate devices and steal private or sensitive data; however, later editions of Emotet have seen it employed in delivery services for spam and malware, including other kinds of banking Trojan.

The cybercriminal tool can escape detection by many of today’s anti-malware options. The malware employs worm-like abilities that enable it to spread out and infest other connected devices, which is one of the reasons why it is often used to distribute malware.

In the United States, the Department of Homeland Security has stated that Emotet is among the most destructive and costly kinds of malware, impacting private sectors, governments, organisations and individuals. This is because its findings showed that average costs for cleaning up after an individual Emotet attack are upwards of $1 million.

How does an Emotet attack work?

Primarily, Emotet is an instance of Trojan malware that is engineered to spread via malicious spam messages. The infection can be deployed either through macro-enabled documents, malicious script or simply a malicious link. The emails issued in Emotet attacks can contain cleverly crafted branding that effectively impersonates an authentic communication. The content of the message will often attempt to persuade recipients to click on malicious attachments by using tempting titles designed to lure them in, such as “Payment Details” or “Your Invoice”.

Since 2014, Emotet has undergone many changes in how it is delivered. Earlier versions arrived in the form of a JavaScript file. However, later editions evolved to employ macro-enabled DOC files to retrieve the malicious virus payload from dedicated command and control servers operated by the threat actors.

The Trojan horse has a varied bag of tricks that it employs to sidestep detection, as well as analysis. For example, Emotet is well-aware when it finds itself on a virtual machine, and it will remain dormant in such a sandbox environment. Cybersecurity experts use virtual machines in order to safely study malicious software, so the Trojan has been designed to thwart their efforts.

Emotet also utilises command and control servers to receive insidious updates. Just like a regular operating system (OS) will update a personal computer, the server can seamlessly update systems without showing a sign. This feature enables attackers to not only install updated editions of the malicious software but also to install even more malware, such as other types of banking Trojans.

How does an Emotet infection spread?

The main distribution vector for Emotet is via malicious spam. Emotet will ransack a recipient’s contacts list so it can send itself to your clients, colleagues, friends and family. As the emails are issued from your hijacked account, the communications look authentic, leading those in receipt of them to feel safer and download included attachments.

For comprehensive protection, our team at Galaxkey has created a secure workspace that offers users a robust set of tools for enhanced email security. Contact us today for a free trial.