A blog by our IT security partner Sophos. Emotet is an exceptionally nasty, destructive IT Security threat causing huge problems for organizations around the world. This fast-moving, ever-changing malware uses multiple advanced techniques to get through your defences – which means it requires the very best defences to stop it.
Emotet is a very sophisticated worm. Emotet is not a new piece of malware, but it’s one that’s become steadily more complex and destructive over the years. Emotet first appeared on the scene five years ago, starting off as a Trojan that silently stole banking credentials. Since then it has evolved into a highly-sophisticated platform for distributing other kinds of malware. It’s Crimeware-as-a-Service personified.
The people behind Emotet are highly professional and financially motivated. They continuously update their malware to make it ever more powerful and destructive.
Emotet generally arrives on the back of a spam campaign. The emails encourage you to click on a malicious document. Emotet spam began as emails with malicious document attachments but have since evolved into emails with links to malicious documents hosted on websites. Social engineering and brand spoofing is a common feature of Emotet spam, with Amazon and PayPal being some of the common brands used.
When it comes to what Emotet does, unfortunately, the answer is ‘lots of things.’ Once inside your computer, Emotet tries to:
1. Spread onto as many machines as possible. It’s a worm, so can spread without user interaction. It moves from one infected computer to another via the network.
2. Send malicious emails to infect other organizations.
3. Download a malware payload. Traditionally the payloads have mostly been banking Trojans, with TrickBot the most prevalent. Its payload injects code into your browser to automatically debit your bank and PayPal accounts when you next log in.
4. Some Emotet variants skim email addresses and names from email client data and archives, likely so they can be sold as part of a wider list and used to spread more malicious spam.
5. Others inspect your web browser, stealing histories and saved usernames and passwords.
6. To add to the pain, Emotet can also be a smokescreen for targeted ransomware attacks. While organizations are dealing with Emotet infections, ransomware like BitPaymer takes advantage of the distraction to hold the organization’s data hostage.
Emotet’s activities are hugely damaging for impacted organisations. Repercussions include:
• The financial and operational costs of the banking Trojan
• Sender reputation damage because of distributing malicious spam
• The costs and compliance implications of a data breach from lost contact information
• The security breach from the loss of user names and passwords
• Potentially, the financial costs of a targeted ransomware attack