Emotet

Emotet is a banking trojan, first detected by Trend Micro in 2014, used to steal bank account details by intercepting network traffic. A second version was identified in the fall of 2014 using the Automatic Transfer System (ATS) to steal money automatically from victims' bank accounts. It had a modular structure, including an installation module, banking module, spam bot module, a module for stealing address books from MS Outlook, and a module for organizing distributed denial-of-service (DDoS) attacks. The attackers attempted to remain under-the-radar by using Emotet in targeted attacks against a small number of German and Austrian banks and changing the domain name of the ATS server daily. In January 2015, a third version of Emotet emerged targeting Swiss banks and containing additional features designed to help it evade detection. This version featured a new built-in public RSA key and it partially cleaned ATS scripts of debugging information and comments. It alters its process if it detects the presence of a virtual machine and uses a different, fake address list for the command centers to mislead investigators. Emotet is delivered via spam emails containing malicious attachments or links. The attached files are usually ZIP archives that contain the Emotet loader. The files names typically have many characters in an attempt to hide the .exe extension from the recipient. The trojan file is packed by a cryptor, used to avoid detection by antivirus software. When the file is processed by the cryptor, control is transferred to the Emotet loader. It then embeds itself in the system, links with the command server, downloads additional modules, and runs them. It consolidates itself in the system and obtains a list of running processes. Emotet then locates the explorer.exe process, unpacks its main code, and injects itself into it.

In mid-2015, a new version was identified. The trojan's new capabilities included evading two-factor authentication. It uses web injects to display fake alerts to the victims during online banking sessions, requesting a Chip Transaction Authentication Number (TAN) or SMS TAN from the user to complete a "test transfer." The malicious script then carries out a real financial transfer from the victim's account to the attacker's identified account. The user confirms the transfer using the Chip TAN or SMS TAN. This attack can only be accomplished with user interaction; effective social engineering training can help prevent victimization.

Reporting

  • January 2015: Emotet spam campaign targets banking credentials. (Microsoft TechNet)
  • April 2015: Emotet expands target list, evades two-factor authentication. (SCMagazine)
  • April 2017: Email campaign is delivering a new variant of the Emotet banking trojan, targeting mainly .UK top level domains from multiple sectors including major businesses and government departments. (Forcepoint)

Technical Details

  • Securelist provides technical analysis on the Emotet trojan, available here.