Written by Anthony Carballo
on February 24, 2020

What is it?

Emotet is a malware (Malicious Software) from the Trojan family; it was first spotted back in 2014, originally designed as a banking trojan that attempted to sneak onto your computer and steal sensitive and private information. It has been evolving year after year, becoming more dangerous and sophisticated. It brought new techniques to evade most security software. It can perform multiple malicious actions, such as stealing access credentials, infecting devices with other malware, sending spam by mail to the contact list for self-replication...


Emotet uses functionality that helps the software evade detection by some anti-malware anti-virus products - Using worm-like capabilities to spread to other connected computers. It helps to blowout the malware inside an organization. Emotet is one of the most costly and destructive malware, affecting government and private sectors, individuals and organizations, and costing upwards of $1M (Yes! 1,000,000 USD) per incident to clean up.

Mainly spread through malspam emails (Malicious Spam). The infection commonly arrives either via malicious script inside a macro-enabled document file, or malicious link. Emotet emails may contain familiar branding designed to look like a legitimate email and trick the user. Emotet may try to persuade users to click malicious files by using tempting words like "Your Invoice" or "Payment Details."

This Trojan uses several tricks to try and prevent detection and analysis. There are examples of this malware where it "knows" if it's running inside a virtual machine and will lay dormant if it detects a sandbox environment (a tool cybersecurity researchers use to observe malware within a safe, controlled space).

Emotet also uses C&C (Command and Control) servers, where the attacker can have and keep control over the affected machine. It works more or less in the same way as the operating system updates on your PC and can happen seamlessly and without any apparent signs. It allows the attackers to install an updated version of the software, download and install additional malware such as other banking Trojans, or to act as a dumping ground for stolen information such as financial credentials, usernames, passwords, email addresses, and others.


So, what to do to prevent this grisly malware.

As stated above, Emotet is transmitted mainly by email, either through attachments or malicious links that end up downloading the malware.

Therefore, special care must be taken when executing any attachment or link from the mail. Caution should also be taken with emails from known contacts since Emotet can impersonate your identity. When in doubt, it is advisable to analyze it with the anti-virus of the computer or with online tools such as VirusTotal or URLhaus

Disable third-party macros. Macros, programs contained within Microsoft Office documents, they are one of the most widely used methods in attachment campaigns and malicious links. You should never enable a macro in an Office document unless you are sure of its legitimacy. When the message asking if you want to enable the editing or enabling the content is displayed in an Office document, the "Enable content" button should not be selected unless you are entirely sure of the origin and legitimacy of the document.

Besides, its automatic execution should always be turned off. Usually, it comes disabled in the newest versions of Microsoft Office. However, it is well worth the double-check, you can ensure this by going to File -> Options -> Trust Center -> Trust Center Settings -> Disable macros with notification. It will prompt the message asking you if you want to enable the content in the case a document comes with a macro on it.

Emotet also uses well-known vulnerabilities like EternalBlue or DoublePulsar; also, it can launch brute force attacks, so you should always have the systems updated to the latest available version and use robust passwords and the 2-step verification method.

Another complementary way to prevent Emotet infections and the spread of the same is to monitor all possible sources of infection and the data, using different IOCs (Indicators of Compromise). Such as web domains, IP addresses, and hashes, there is a tool called EmoCheck, that allows you to run it via shell commands and check whether there is an Emotet Trojan in your computer and would show you the path where it is located.


It sounds quite complicated, right?

Don't worry; we have your back, CyberEasy can do all of that and much more. As we mentioned at the beginning of this reading, Emotet uses techniques to evade the detection from security solutions; the problem with these solutions is that they only detect known knowns.

In other words, things that already happened, based on lists of things that were reported by someone else, but what would happen if that is the first variant of an evolved Emotet… they would no detect it - you would be infected, and all your information compromised, even your identity can be affected. Our approach is not only detecting things based on IOCs but detect bad things from behavioral analysis. It allows you to detect things that might be happening in the background without being even notable for you or even for an anti-virus.

Let Us Know What You Thought about this Post.

Put your Comment Below.

You may also like:

Cybersecurity Awareness Cybersecurity Fundamentals

¿Cómo mejorar la visibilidad de la Ciberseguridad de su organización?

El 25% de las empresas en América Latina no cuentan con antivirus y el 40% de las empresas sufrió una infección con malw...

Cybersecurity Fundamentals Cybersecurity 101

Cybersecurity reminders with teams working from home.

Good Cyber Security is about making sure ALL possible Threats are identified, mitigation controls put in place and remed...

Cybersecurity Fundamentals Cyber Education

6 tips for remote working.

COVID-19 has thrown the world into business and working chaos – Workers have had to adjust to working in different envir...