The Emotet Threat Keeps Rolling On!

Back in 2014, security researchers came across a new threat in the wild they dubbed Emotet.

Emotet started out its life as a banking trojan, that infected target machines with a goal of silently stealing sensitive personal and financial information from its victims.

Almost five years on from this initial find, Emotet has become one of the most active, costly and destructive malware families in the world today.

Emotet is known as a ‘Trojan Virus’, and like the Trojan Horse in Greek history, it appears to be one thing on the surface while inside it’s something very different. The trojans job is to first infect a target system by evading its security defences, before unleashing the more malicious hidden payload it is carrying inside.

One of the attractions for cyber criminals is its polymorphic behaviour, that gives Emotet the ability to change itself every time a version of the malware is downloaded. This is one of its methods that is used to evade detection by signature based Anti-Virus and Intrusion Prevention products.

Today, Emotet has evolved into far more than just a standard banking trojan.

Emotet’s Evolution?

Due to its versatility it has become a favourite for cyber criminals in their efforts to improve the chance of successful infection of a target. As described above, it no longer just seeks to deliver banking malware, its continued evolution sees the addition of newly developed modules that allows it to remain an effective delivery platform for different types of malware.

Emotet primarily uses malspam campaigns to spread via email, typically containing a malicious email attachment, in the form a macro enabled Microsoft Office document. Following initial infection Emotet has the capability to steal personal information and online credentials, before launching its hidden payload.

Malicious payloads such as ransomware, Quakbot, TrickBot, Ursnif, Zeus Panda & IcedID are just a few that have been delivered using the Emotet family.

Once a target system has been infected, it uses modules within the malware to spread throughout the network, via brute forcing techniques and SMB exploits (such as DoublePulsar & EternalBlue), to connect to and infect more servers and devices.

In addition to security evasion techniques, it can also detect when it is inside a malware analysis sandbox. And through its established Command & Control infrastructure (C2), Emotet can receive instructions and software updates, that can extend the capabilities of the malware or add further malicious payloads.

The below image shows how Emotet works (courtesy of US CERT website):


All this just helps the attackers stay ahead of the game and increases the spread of the malware.

What can we do?

Although Emotet is a family of advanced malware, it’s not all doom and gloom. There are things you can be doing to protect yourselves from the threat of infection.

Cisco Umbrella is the first line of defence against internet threats and is an effective first step in stopping an Emotet infection in its tracks.

With up to 500 newly generated malicious documents being hosted on compromised websites every day, you need a solution that can dynamically protect you.

Researchers at Cisco have developed a classifier to automatically detect and block these Malspam campaigns. By integrating this classifier into the Cisco Security products such as Cisco Umbrella, we can actively protect against this threat.

As soon as Emotet is detected, Cisco Umbrella can block traffic at the IP or domain level, or alternatively send it to the Intelligent Proxy for further inspection. You no longer need to wait for a connection to be made or malware to be downloaded to detect the threat.

By using Cisco Umbrella, you can prevent your users, devices and networks from ever establishing a connection to these bad domains or IP addresses.

Investigate Console - baatzconsulting
Investigate Console - structure.thememove

At Ironshare we are actively using Cisco Umbrella to protect our customers from the threat of Emotet.

The images above show just a couple of examples of the compromised domains from Umbrella Investigate that have been blocked this year, preventing our customers from infection and almost certain compromise.

If you would like to find out more about how Cisco Umbrella could protect your business or if you would like a free trial, please use the link below to contact us.


Ironshare – Security Simplified