By far, one of the most dangerous strands of malware to come along has been Emotet – a rogue program that was first discovered in 2014. Not only is it still active today, it has continued to evolve beyond its initial form – creating something of a perfect storm in the worst possible way.
According to one recent study, approximately 350,000 new instances of malware hit the Internet every single day. Based on that, it should come as a surprise to nobody that a hacking attack occurs every 39 seconds worldwide – amounting to about 2,244 successful breaches on a daily basis. When you also consider the fact that collective damage related to cybercrime is expected to grow to an enormous $6 trillion by as soon as 2021, it’s easy to see why this is one topic that so many people are paying close attention to.
When it was originally discovered nearly a decade ago, Emotet was a straightforward credential stealer and banking Trojan – which is exactly what it sounds like. Once Emotet was allowed to infect a particular system, it would steal banking credentials at high value targets that would then be passed onto rogue actors.
Over the next few years, however, Emotet evolved into something far more sinister. It is now essentially the core of an entire cybercrime operation based out of Russia and has now been reconfigured to work mainly as a loader, meaning that once it gains access to a system it allows its operators to download additional malicious programs at will.
Because of that, Emotet continues to be one of the most costly (not to mention destructive) forms of malware on the Internet. It impacts not only banks and other financial institutions, but also state, local and territorial governments, businesses in the public and private sectors and more. In fact, the United States Department of Homeland Security estimates that because Emotet’s worm-like features make it so difficult to combat, it costs governments up to $1 million on average per incident to remediate.
Part of the reason why the damage can be so severe is that Emotet is a polymorphic banking Trojan, meaning that it can easily evade usual signature-based detection methods. Likewise, it has a number of different methods it uses to remain persistent on a system, which also make it very difficult to fight even once it has been discovered. These include but are not limited to auto-start registry keys and services, the use of Dynamic Link Libraries (DLLs) to constantly evolve and update itself, and more.
Emotet is even a virtual machine-aware strand of malware, meaning that it can also generate false indicators if it ends up being run in any type of virtualized environment.
Often enough, Emotet is distributed using rogue emails that contain malicious attachments or links to files to be downloaded. Usually, they’re designed to seem as familiar to the recipient as possible – not too dissimilar to the way a standard phishing email uses certain publicly known details to put a target’s mind at ease. In the past, these emails have been designed to mimic everything from PayPal receipts to product shipping notifications with e-commerce stores to even “past-due” notices for certain bills a victim may have.
Regardless, Emotet makes its way onto a system when the target either A) clicks on the malicious download link in the email, or B) actually downloads whatever file is attached to the message that Emotet is disguising itself as.
Once that happens, Emotet not only establishes itself on the target machine – it also leverages what are known as spreader modules to infect any other devices connected to the local network, too.
Equally complicating things is the fact that Emotet uses legitimate spreader modules to make its way across a network, with NetPass.exe being among the most prominent. NetPass.exe is a legitimate utility that recovers all network passwords for the current logged in use and can even recover passwords stored on external drives, too. This is one of the major reasons why it is so difficult to detect Emotet until the damage has already been done.
All told, Emotet is one of the shining examples of why it is so important to invest in social engineering and phishing training as a business professional. Yes, it is possible to get Emotet off of a system once it has been infected and you can definitely recover from the damage, even though it will cost a great detail. But if you don’t want employees to inadvertently let something this devastating onto your own network, they need to be aware of what these types of threats look like and how to react if they see them moving forward.