The Emotet trojan has been popping up in the news for years: From widespread malspam infections of banking German targets in 2014, all the way up to the costly infection of a New Hampshire town’s computer network in July.
And while the tricky Emotet malware first emerged targeting banking credentials, lately researchers have spotted the trojan changing its tactics – and its targets, catching the eye of both researchers and law enforcement this week.
“Despite its age, Emotet is far from just barely alive,” researchers with Check Point Research said in a new report, issued Tuesday. “It spreads itself abundantly through spam emails, network shares and the Rig exploit kit. While some features have stayed constant, during the four years of Emotet’s lifecycle, modules have come and gone.”
These methods have proved effective for the trojan and damaging for its victims. A technical alert from the Department of Homeland Security this week said that Emotet infections on average cost state and local governments up to $1 million per incident to remediate.
The malware has now evolved to adopt new techniques, according to researchers from both Symantec and Check Point – including an expansion in capabilities to become a distributor of threats for other attack groups, and a sneaky newfound interest in third-party, open-source code libraries.
Importantly, its core functionality has also shifted. In 2017, the trojan ditched its banking module and made its most important component is now a loader — symbolizing an expansion in both its targets and its strategy around distributing threats. The malware, which was first spotted in 2014 by Trend Micro, now acts as a downloader or dropper of other banking trojans after gaining access to devices, typically through spam campaigns.
Emotet stands out in its ability to self-propagate, meaning that once it’s on a computer, the malware downloads and executes a spreader module. That has a password list that it uses to brute-force access to other machines on the same network. Emotet can also spread to additional computers using a spam module that it installs on infected victim machines.
Network-spreading particularly poses as a headache for organizations, because it means that victims can become infected without even needing to click on a malicious link or attachment. In addition, Emotet’s brute-forcing of passwords may result in multiple failed login attempts, which can lead to users being locked out of their network accounts.
The malware currently uses five known spreader modules: NetPass.exe (a legit utility that recovers all network passwords stored on a system), WebBrowserPassView (a password recovery tool that captures passwords stored by browsers, including Internet Explorer and Firefox Mozilla), Mail PassView (a password recovery tool for various email clients, including Microsoft Outlook and Windows mail), Outlook scraper (a tool that scrapes names and email addresses from the victim’s Outlook accounts) and a credential enumerator.
This year, Symantec researchers have linked Emotet to threat group Mealybug, a cybercrime actor that has been active since at least 2014.
Mealybug seems to have both expanded the trojan’s capabilities and its targets to become what Symantec researchers call an “end-to-end service for delivery of threats.”
“Mealybug’s shift from distributing its own banking trojan to a relatively small number of targets, to acting primarily as a global distributor of other groups’ threats, is interesting, and backs up an observation we made… that threat actors are evolving and refining their techniques and business model to maximize profits,” Symantec researchers said in a recent blog post.
For instance, since February 2018, Emotet has been using its loader function to spread the Quakbot malware family, known for behaving like a network worm. The malware has also been reportedly distributing the Ransom.UmbreCrypt ransomware, according to Symantec.
Emotet has also sharpened its capabilities and tactics, including the utilization of third-party open source components. For instance, the malware has built a communication protocol on top of Google’s Protobug, which utilizes Lempel–Ziv–Markov (LZMA) compression. LZMA is a chain algorithm used to perform lossless data compression. This signifies a more sophisticated and complex level of understanding by the threat actor, researchers at Check Point said in their report.
“Easy access to third-party libraries is known to be a powerful stimulant for any development process, and discipline in design definitely has its benefits, as well as its pitfalls,” they noted. “Who knows — maybe in a few years we will see enterprise-grade malware written in Java which invokes RansomwareResourceMediator.getMediatorInstance() and MoneroMinerFactory.getAbstractMiner().”
These new characteristics seem to be working for the malware – especially more recently, when after a relatively quiet period in 2015, detections of Emotet surged in both the second half of 2017 and the first half of 2018. Its targets have mainly been in the U.S. in 2018, said Symantec researchers.
Notably, in late 2017, Emotet was found acting as a dropper, putting banking trojan IcedID on targeted systems. As recently as early July, officials in Portsmouth, New Hampshire said that the Emotet malware cost them $156,000 to remove after spreading to the city’s entire computer network via phishing emails.
Symantec researchers said that to avoid Emotet, end users can adopt multiple, overlapping and mutually supportive defensive systems to guard against single-point failures in devices.
“This includes deployment of endpoint, email and web-gateway protection technologies, as well as firewalls and vulnerability assessment solutions,” they said. “Always keep these security solutions up-to-date with the latest protection capabilities.”
However despite these mitigations, researchers seem to be in agreement that Emotet will continue to evolve and launch costly attacks in the future: “With its years of experience and sophisticated ecosystem, Emotet seems to be here to stay,” Check Point researchers cautioned.