Emotet is a banking trojan, first detected by Trend Micro in 2014, used to steal bank account details by intercepting network traffic. A second version was identified in the fall of 2014 using the Automatic Transfer System (ATS) to steal money automatically from victims' bank accounts. It had a modular structure, including an installation module, banking module, spam bot module, a module for stealing address books from MS Outlook, and a module for organizing distributed denial-of-service (DDoS) attacks. The attackers attempted to remain under-the-radar by using Emotet in targeted attacks against a small number of German and Austrian banks and changing the domain name of the ATS server daily. In January 2015, a third version of Emotet emerged targeting Swiss banks and containing additional features designed to help it evade detection. This version featured a new built-in public RSA key and it partially cleaned ATS scripts of debugging information and comments. It alters its process if it detects the presence of a virtual machine and uses a different, fake address list for the command centers to mislead investigators. Emotet is delivered via spam emails containing malicious attachments or links. The attached files are usually ZIP archives that contain the Emotet loader. The files names typically have many characters in an attempt to hide the .exe extension from the recipient. The trojan file is packed by a cryptor, used to avoid detection by antivirus software. When the file is processed by the cryptor, control is transferred to the Emotet loader. It then embeds itself in the system, links with the command server, downloads additional modules, and runs them. It consolidates itself in the system and obtains a list of running processes. Emotet then locates the explorer.exe process, unpacks its main code, and injects itself into it.

In mid-2015, a new version was identified. The trojan's new capabilities included evading two-factor authentication. It uses web injects to display fake alerts to the victims during online banking sessions, requesting a Chip Transaction Authentication Number (TAN) or SMS TAN from the user to complete a "test transfer." The malicious script then carries out a real financial transfer from the victim's account to the attacker's identified account. The user confirms the transfer using the Chip TAN or SMS TAN. This attack can only be accomplished with user interaction; effective social engineering training can help prevent victimization.


  • UPDATE 09/16/2019: Emotet returns after an almost four-month long hiatus. The new campaign is delivering emails referencing a remittance payment and includes a malicious attached Word document.

  • January 2015: Emotet spam campaign targets banking credentials. (Microsoft TechNet)

  • April 2015: Emotet expands target list, evades two-factor authentication. (SCMagazine)

  • April 2017: Email campaign is delivering a new variant of the Emotet banking trojan, targeting mainly .UK top level domains from multiple sectors including major businesses and government departments. (Forcepoint)

  • July 2017: Emotet added a self-spreading capability. It drops a self-extracting RAR file on infected hosts and uses it to search for and gain access to local network resources after brute-forcing their login credentials. (Fidelis)

  • September 2017: Trend Micro researchers observed a new Emotet campaign, propagating via a spam botnet. The majority of targets are located in the United States with 58 percent of detected infections, followed by Great Britain at 12 percent. (Trend Micro)

  • November 2017: A new version of Emotet has been observed with a few changes in its usual behavior and new routines that allow it to elude sandbox and malware analysis. (Trend Micro)

  • July 2018: New malspam campaign pushing Emotet and Trickbot. (Palo Alto Networks)

  • July 2018: Evidence indicates that Mealybug, the threat group behind Emotet, has evolved from maintaining its custom banking trojan to operating as a distributor of threats for other groups. (Symantec)

  • October 2018: Emotet Trojan Begins Stealing Victim's Email Using New Module (Kryptos Logic)

  • January 2019: One new campaign uses multiple languages and various subject lines in their spam email, while another leverages a direct URL download to load Emotet. (Cisco Talos)

  • February 2019: Since mid-January, Emotet has been distributed via URLs hosted on threat actor-owned infrastructure as well as via spam email attachments. Of the malicious document attachments, some 80 percent appear to be Word .doc documents, but are actually XML files - this is an attempt to avoid detection and sandbox environments. (Menlo Security)

  • April 2019: Password-protected zipped file spammed to deliver Powload and Emotet (Trend Micro)

  • April 2019: Emotet hijacks email conversation threads to insert links to malware (ZDNet)

  • April 2019: Hacked Uniden Commercial Site Serves Emotet Trojan (Bleeping Computer)

  • April 2019: Emotet uses compromised connected devices as proxy command-and-control servers and employing random URI directory paths to evade network-based detection rules (Bleeping Computer)

  • August 2019: Emotet is active again from multiple geographic locations including the US.  It is predicted that threat actors will resume the same business model of distributing Trickbot and then spreading Ryuk ransomware, dubbed the “triple threat.” (Bleeping Computer)

Technical Details

  • Securelist provides technical analysis on the Emotet trojan, available here.

  • US-CERT released joint Technical Alert TA18-201A on Emotet here.