The evolution of the infamous Emotet Banking Trojan

• Emotet banking trojan targets are located primarily in the United States, Great Britain, Canada, Germany, Austria, the United Kingdom, and Switzerland.
• Its capabilities include stealing banking credentials, evading two-factor authentication, displaying fake alerts to the victims, self-spreading, exfiltrating email content, and spam avoidance.

Emotet banking trojan was first spotted in 2014 stealing banking credentials by intercepting network traffic. Emotet banking trojan targets are located primarily in the United States, Great Britain, Germany, Austria, and Switzerland. Its capabilities include stealing banking credentials, evading two-factor authentication, displaying fake alerts to the victims, and self-spreading.

Another version of Emotet using Automatic Transfer System (ATS) steal money automatically from victims' bank accounts was spotted in the end of 2014. This version had a modular structure, including an installation module, banking module, spam bot module, a module for stealing address books from Microsoft Outlook, and a module for organizing distributed denial-of-service (DDoS) attacks.

Emotet targeting Swiss banks

In January 2015, another version of Emotet emerged targeting Swiss banks with additional capabilities to evade detection. This version featured a new built-in public RSA key and it partially cleaned ATS scripts of debugging information and comments. If the trojan detects the presence of a virtual machine, it modifies its process and makes use of a fake address list in order to confuse investigators.

Emotet trojan is distributed via phishing emails containing malicious attachments or links. The malicious files contain the Emotet payload. The file is packed by a cryptor, in order to avoid detection by antivirus software.

Emotet resurfaced with new two-factor authentication evading capability

In April 2015, a new version of Emotet was discovered with new evading two-factor authentication capability. The trojan used web injects to display fake alerts to users during online banking sessions, requesting a Chip Transaction Authentication Number (TAN) or SMS TAN from the user to complete a test transfer. The malicious script then carried out a real financial transfer from the victim's account to the attacker's account.

Emotet targeting businesses and government departments in the UK

In April 2017, multiple sectors in the UK including major businesses and government departments were targeted by Emotet banking trojan via phishing email campaign.

Emotet started spreading via Spam botnets and network propagation module

The new variants of Emotet used multiple ways to propagate. Its primary propagation method involved the use of a spam botnet, which resulted in its rapid distribution via email. The trojan was also distributed via a network propagation module that brute-forced its way into an account domain using a dictionary attack. The use of compromised URLs as Command and Control servers likely helped it propagate as well.

Emotet was spotted exploiting CreateTimerQueueTimer

In November 2017, Emotet changed its dropper from using RunPE to exploiting CreateTimerQueueTimer. CreateTimerQueueTimer is a WindowsAPI that creates a queue for timers. These timers enable the selection of a callback function at a specified time.

The callback function of the API became EMOTET’s actual payload. EMOTET traded RunPE for a Windows API in order to make detection very difficult. Researchers also noted a new behavior in this new variant, which is its anti-analysis technique.

Malspam campaign pushing Trickbot and Emotet

Trickbot has its own malspam distribution channel, however, threat actors operating Trickbot were spotted using Emotet for their infections in June 2018.

Emotet reappeared with a new module capable of exfiltrating email content

The new Emotet variant was capable of stealing victims’ emails in bulk and infecting protected systems. The trojan was capable of exfiltrating email content and sending it back to the attacker going back 180 days in mail history.

Emotet infected Annapolis library computers

On September 17, 2018, Anne Arundel County Public Library, Annapolis, suffered a data breach impacting almost 5,000 customers. Emotet trojan was distributed to the library’s systems via spam emails. Over 600 staff and public library computers were compromised by the attack.

Emotet’s new thanksgiving campaign

Emotet reappeared on November 6, 2018, with Thanksgiving campaign and new phishing tricks. The trojan’s new capabilities allowed it to steal email contact lists and over 16KB of the emails’ bodies. The new Thanksgiving campaign used tricks that alleged to have come from trusted organizations. The trojan also contained legitimate links that used Proofpoint’s URL Defense - a scanning service. In this Thanksgiving campaign, the trojan also downloaded the IcedID malware.

Emotet infected the entire email system of Quincy City Hall

Quincy City Hall was infected with Emotet banking trojan, as a result of which the entire email system was hacked. The attack shut down the city hall’s entire computing system for 5 days. Quincy city’s email accounts were hacked and were used for an online phishing campaign.

Emotet distributed via fake Amazon order confirmation campaign

In December 2018, a new malspam ‘Amazon order confirmation’ campaign was spotted tricking users and executing Emotet trojan. Once the users open the email, the order number without the image or detail of the item will be displayed. The user needs to click on the ‘Order Details’ to view the item detail. Upon clicking, a Word document named order_details.doc will be downloaded. Once downloaded, the document urges users to click on ‘Enable Content’ button which executes Emotet trojan.

Emotet returns back with new spam avoidance capabilities

Emotet banking trojan has resurfaced with new spam avoidance capabilities. The latest strain has gained the ability to check if the infected IP where the malicious email is being sent from is already blacklisted on a spam list. This could allow attackers to deliver more emails to users' inboxes without any pushback from spam filters.