ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool Emotet

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: Emotet

NamesEmotet
Geodo
Heodo
CategoryMalware
TypeBanking trojan, Downloader, Botnet
Description(Malwarebytes) Emotet is a Trojan that is primarily spread through spam emails (malspam). The infection may arrive either via malicious script, macro-enabled document files, or malicious link. Emotet emails may contain familiar branding designed to look like a legitimate email. Emotet may try to persuade users to click the malicious files by using tempting language about “Your Invoice,” “Payment Details,” or possibly an upcoming shipment from well-known parcel companies.

Emotet has gone through a few iterations. Early versions arrived as a malicious JavaScript file. Later versions evolved to use macro-enabled documents to retrieve the virus payload from command and control (C&C) servers run by the attackers.

Emotet uses a number of tricks to try and prevent detection and analysis. Notably, Emotet knows if it’s running inside a virtual machine (VM) and will lay dormant if it detects a sandbox environment, which is a tool cybersecurity researchers use to observe malware within a safe, controlled space.

Emotet also uses C&C servers to receive updates. This works in the same way as the operating system updates on your PC and can happen seamlessly and without any outward signs. This allows the attackers to install updated versions of the software, install additional malware such as other banking Trojans, or to act as a dumping ground for stolen information such as financial credentials, usernames and passwords, and email addresses.
Information<https://www.malwarebytes.com/emotet/>
<https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/>
<http://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/>
<http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1>
<https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-2.html>
<https://www.spamhaus.org/news/article/783/emotet-adds-a-further-layer-of-camouflage>
<https://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/>
<https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/>
<https://github.com/d00rt/emotet_research>
<https://blog.kryptoslogic.com/malware/2018/08/01/emotet.html>
<https://www.us-cert.gov/ncas/alerts/TA18-201A>
<https://portswigger.net/daily-swig/emotet-trojan-implicated-in-wolverine-solutions-ransomware-attack>
<https://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/>
<https://blog.kryptoslogic.com/malware/2018/10/31/emotet-email-theft.html>
<https://www.intezer.com/mitigating-emotet-the-most-common-banking-trojan/>
<https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-droppers/>
<https://research.checkpoint.com/emotet-tricky-trojan-git-clones/>
<https://www.cert.pl/en/news/single/analysis-of-emotet-v4/>
<https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor>
<https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/>
<https://persianov.net/emotet-malware-analysis-part-1>
<https://persianov.net/emotet-malware-analysis-part-2>
<https://int0xcc.svbtle.com/dissecting-emotet-s-network-communication-protocol>
<https://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities-infrastructure/>
<https://cloudblogs.microsoft.com/microsoftsecure/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/>
<https://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/>
<https://www.fidelissecurity.com/threatgeek/2017/07/emotet-takes-wing-spreader>
<https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/>
<https://malfind.com/index.php/2018/07/23/deobfuscating-emotets-powershell-payload/>
<https://medium.com/@0xd0cf11e/analyzing-emotet-with-ghidra-part-1-4da71a5c8d69>
<https://www.binarydefense.com/emotet-evolves-with-new-wi-fi-spreader/>
<https://www.binarydefense.com/emotet-wi-fi-spreader-upgraded/>
<https://www.bleepingcomputer.com/news/security/emotet-malware-now-steals-your-email-attachments-to-attack-contacts/>
<https://blog.barracuda.com/2020/06/19/emotet-emerges-as-a-leader-in-maas/>
<https://blog.malwarebytes.com/trojans/2020/07/long-dreaded-emotet-has-returned/>
<https://www.bleepingcomputer.com/news/security/emotet-botnet-is-now-heavily-spreading-qakbot-malware/>
<https://www.zdnet.com/article/a-vigilante-is-sabotaging-the-emotet-botnet-by-replacing-malware-payloads-with-gifs/>
<https://www.deepinstinct.com/2020/08/12/why-emotets-latest-wave-is-harder-to-catch-than-ever-before/>
<https://www.deepinstinct.com/2020/10/12/why-emotets-latest-wave-is-harder-to-catch-than-ever-before-part-2/>
<https://www.binarydefense.com/emocrash-exploiting-a-vulnerability-in-emotet-malware-for-defense/>
<https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return>
<https://www.bleepingcomputer.com/news/security/emotet-malwares-new-red-dawn-attachment-is-just-as-dangerous/>
<https://www.bleepingcomputer.com/news/security/epic-fail-emotet-malware-uses-fake-windows-10-mobile-attachments/>
<https://www.zdnet.com/article/france-japan-new-zealand-warn-of-sudden-spike-in-emotet-attacks/>
<https://www.bleepingcomputer.com/news/security/emotet-double-blunder-fake-windows-10-mobile-and-outdated-messages/>
<https://unit42.paloaltonetworks.com/emotet-thread-hijacking/>
<https://www.zdnet.com/article/microsoft-italy-and-the-netherlands-warn-of-increased-emotet-activity/>
<https://www.proofpoint.com/us/blog/threat-insight/emotet-makes-timely-adoption-political-and-elections-lures>
<https://us-cert.cisa.gov/ncas/alerts/aa20-280a>
<https://www.darkreading.com/edge/theedge/emotet-101-how-the-ransomware-works----and-why-its-so-darn-effective/b/d-id/1339124>
<https://www.zdnet.com/article/new-emotet-attacks-use-fake-windows-update-lures/>
<https://www.bleepingcomputer.com/news/security/emotet-malware-now-wants-you-to-upgrade-microsoft-word/>
<https://blog.malwarebytes.com/malwarebytes-news/2020/10/new-emotet-delivery-method-spotted-during-downward-detection-trend/>
<https://www.bleepingcomputer.com/news/security/emotet-malware-wants-to-invite-you-to-a-halloween-party/>
<https://cofense.com/variants-of-emotet-malware/>
<https://blog.talosintelligence.com/2020/11/emotet-2020.html>
<https://thehackernews.com/2020/11/anyrun-emotet-malware-analysis.html>
<https://securelist.com/the-chronicles-of-emotet/99660/>
<https://www.darkreading.com/threat-intelligence/emotet-campaign-restarts-after-seven-week-hiatus/d/d-id/1339792>
<https://blog.malwarebytes.com/cybercrime/2020/12/emotet-returns-just-in-time-for-christmas/>
<https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/>
MITRE ATT&CK<https://attack.mitre.org/software/S0367/>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet>
AlienVault OTX<https://otx.alienvault.com/browse/pulses?q=tag:Emotet>

Last change to this tool card: 20 January 2021

Download this tool card in JSON format

All groups using tool Emotet

ChangedNameCountryObserved

Other groups

 Mummy Spider, TA542[Unknown]2014-Dec 2020 HOTX

1 group listed (0 APT, 1 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key